Malware Analysis

by Anurag


VirusTotal: 

SHA256 – 9ff1c8e6d80ebf5626714362cbc55a53ba17038e841773d24fdc018891adb52e

Tools used for analysis: OllydbgWireSharkPEExplorer,

I started debugging using Ollydbg. The first warning I received is

“Module ‘AutoRUN_’ has entry point outside the code (as specified in the PE header). Maybe this file is self-extracting or self-modifying. Please keep it in mind when setting breakpoints!”

1.PNG

The executable file extracts HelpMe.exe file and copy it to C:\Windows\System32

6.PNG

2

Also it got extracted AUTORUN_INF.exe file at C:\ location. same location it create files

AUTORUN.ini file

4

3

AutoRun.exe file executes HelpMe.exe file.

This also adds HelpMe.exe file to Startup programs and rename shortcut icon to Soft

soft ink

StartUp

Behavior of this malware I observed is, this gets replicated itself and and creates/hides word, pdf, xsls and  pages document files under RecycleBin folder.

5

I also observed the HelpMe.exe keep changing location from C:\Windows\System32 to C:\Windows\SysWow64

I stopped my analysis here after spending 2 days as there are a lot of things this malware doing in background.

Thanks.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: