RegShot is a tool that let you take a clean snapshot of a registry that can be used later for comparison after the malware sample is executed. This can reveal information about the changes in the registry, particularly when the malware modifies registry keys to persist on the system.
Ring3 API Hook Scanner by NoVirusThanks.org that is gmer a like and detects API Hooking inside the kernel. This tool logs the executable responsible for hooking and the the API that is being hooked.
The Ring3 API Hook Scanner has a set of categories.
One is the one who owns or hooks the API module.
The other is the API name.
In our case, the image below shows how Ring3 detects Win32.AgentTesla.exe hooks DeleteFileW API.
SSDT View by NoVirusThanks is a tool that checks all function inside the SSDT table for possible hooking.
SSDT View has a set of categories.
One is the service or function.
the other is the module or the owner of the service or function.
Finally, there is an indicator that indicates whether or not the service is hooked.
#tip: any service not owned by ntoskrnl.exe module is regarded hooked and malicious.
Wireshark is a famous network protocol analyzer tool that let you see what is happening on your network at a microscopic level.
TCPView is a tool bundled inside the sysinternals suite that is used to view and monitor network traffic.
Quick Snap of the tool:
Procexp or Process Explorer is a tool bundled inside the sysinternals suite and a task manager a like but gives extra features. It can be used then to monitor processes and checks its properties.
Procmon is a tool bundled inside the sysinternals suite that logs and monitors processes and its tasks during runtime.
AutoRuns is a tool bundled inside the sysinternals suite that is used to view and monitor auto-run processes in Windows.
A Quick Snap of the tool:
AutoRuns detects that some xws.exe is inside the SOFTWARE\Microsoft\Windows\CurrentVersion\Run registry, which is a common type of persistence mechanisms for a malware. In this case, malware that adds itself to this registry key survives the reboot.
Windows Sysinternals a Windows tool suite developed by Mark Russinovich that is used to host, manage and troubleshoot Windows operating systems.
Strings is a malware static analysis tool for extracting ascii and unicode strings from a file. This can reveal valuable information such as URL, IP Aaddress and functions used.
In this topic we will discuss command prompt base strings analysis in Windows Architecture.
⚠️ YOU ARE TRYING TO DOWNLOAD A FILE THAT CONTAINS MALICIOUS EXECUTABLE ⚠️
eyehatemalwares is “PAY WHAT YOU CAN” project.
The zip file associated with this lab is password protected.
For hands-on experience, click the “Donate” button and you will be redirected to eyehatemalwares Paypal donation homepage or scan the QR Code below.
Click the “Download” button again to download the lab zip file.
After successful donation, email us the zip file name and the Paypal transaction details for the password.
Thank you for helping us build this community!
We will make sure that your donation will be use to bring more value to the community.
Contact us: About
– EHM Team