Persistence AppINIT – eyehatemalwares

Malware Persistence: DLL injection via AppInit_DLLs Registry

Tools Used

- powershell
- regedit.exe
- kdiff
- diff

Lab Requirements

- Windows System (x86 or x64)
- Tools
- malware.dll (renamed legitimate .dll file)

One of the goal of the malware is to be able to achieve persistence inside the compromise system and one of the technique being implemented by these authors is to manipulate registry value.

In this demo, we will discuss how malware can persist on the system using AppInit_Dlls registry key.

Scenario: Your security solution detected that one of your organization’s endpoint is reaching a non-whitelisted domain/IP. By performing initial investigation, the user failed to report that she clicked and downloaded a email attachment few days ago.