Next, let's perform some live analysis on the infected machine in hand. This live analysis will give us quick results. It may overwrite some traces in the system, but in our case here, we have already acquired our evidence.
Listing the running processes will allow us to notice any maliciously-named processes that may relate to malware behavior. We can list the running processes using the native tasklist command:
We can also use processexplorer from Sysinternals. We will notice no malicious names, but we can see that there are two processes named explorer.exe within the system. One holds an ID of 2256 ran for compatibility with 32 bit images but its current directory is C:\Users\<<UserName>>\AppData\Roaming\ as shown in the Process Explorer in the following screenshot. Also, please note that this process most likely will hold another ID if you ran the malware in a machine on your own:
To investigate this process more, we can use ProcessActivityView from DART tools to see which files are accessed by this process in real time. We will find this process access a file located and named C:\Users\<<UserName>>\AppData\Roaming\Tyull\yquna.tmp.
The folder name and filenames seem to be randomly created which is a typical malware behavior.
Then, if we try to scan the running system with the GMER tool, it will detect some injected code in the running process 2256 explorer.exe, as follows:
Most of the malware samples out there need a network connection to complete their goal and connect to the attacker. By checking the network activities on the suspicious connection, we will notice that it listens for connections and port 37337. Here, we must note that we already isolated the machine from the Internet and the internal network and such connections can't be completed:
Port 37337 is known for its wide usage in malware-related activities.
We also can check for the autorun keys in the system, which are used by the malware to preserve their existence in the system even after system reboot. We can do this using the Sysinternals tool autorunsc.exe or its GUI autoruns.exe. We can use the command-line version with the following options:
-l: These are elements that start automatically at login (the default option)-t: These are assigned tasks-m: These do not display elements that are digitally signed by Microsoft-v: These verify digital signatures
Under the HKCU\Software\Microsoft\Windows\CurrentVersion\Run registry key, the location of this unknown executable is C:\users\<<UserName>>\appdata\roaming\imyrug\epqe.exe. Pay attention to the key last access date, which is old.
We can extract this executable for further analysis, such as reverse engineering and malware analysis, to make sure that it is malicious and understand its functionality. The same results can be found using the GUI version of the tool:
So, the question now is what added this executable to the registry keys?