Basic Malware Analysis — Illusion Bot

Analysis

Is the sample executable?

Is the sample packed?

When was the sample compiled?

Does the sample have other embedded executables in it?

What sub-system does the sample operate in?

What functions does the sample import / export?

What clear text strings does the sample have?

What changes were made to the Windows Registry?

Were any startup services installed by the sample?

What processes were running when the sample was executed?

What changes were made to the file system?

What network activity does the sample exhibit?

  1. The malware achieves persistence by replacing the default shell program (explorer.exe) with itself.
  2. It places itself in the firewall’s white list.
  3. It tries to join an IRC channel and most likely, waits for commands. It may be used for DoS attacks because there were clear text strings that referenced it.
  4. It tries to write to a file ntndis.exe, and the effect of this is unknown.

Developing YARA Rule

Done!

--

--

--

A budding malware analyst and threat researcher. https://www.linkedin.com/in/nikhilh2/

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Remove Browser Redirected Virus from Your PC

Why Least Privilege Access is Foundational to Zero Trust

Cuba Ransomware Group on a Roll

{UPDATE} American Football Showdown Hack Free Resources Generator

Minneapolis Police Department Cyber Security Audit According to the Leaked Data

norton.com/setup — install & activate norton setup

$GUSD Prize Pool

Nesian Lingo Privacy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ka1d0

ka1d0

A budding malware analyst and threat researcher. https://www.linkedin.com/in/nikhilh2/

More from Medium

OhSINT — TryHackMe Walkthrough

WindowsXP default wallpaper

OSINT: Do I have to Capture The Flag(CTF)? Pt1.

A simple flag laying on wood. Chosen to represent the simple CTF we are creating but also it’s a flag and that seemed like a good leading image given the title of the article.

HackTheBox:Catch

EZ-CTF by CTF Cafe: OSINT challenges Solves and some lessons