EXP4 malicious code analysis 20154310

Others 2022-04-21 23:18:57 views: 0

1. Practical goals

1. Monitor the running status of your own system to see if any suspicious programs are running.

2. Analyze a malware, analyze the backdoor software generated in Exp2 or Exp3.

2. Practical steps

1. System operation monitoring

Use netstat to monitor regularly

First create a txt file to output the recorded networking results to the netstatlog.txtfile in the format, the content is:

date /t >> c:\netstatlog.txt

time /t >> c:\netstatlog.txt

netstat -bn >> c:\netstatlog.txt

Change the suffix to bat and run the command prompt as an administrator

schtasks /create /TN 20154310 /sc MINUTE /MO 2 /TR "c:\20154310.bat

 

 

 

Once you have collected enough data, import the data into an excel tab.

PivotTable → Process → Create New Worksheet → Count to get the corresponding data statistics.

 

 

Use the sysmon tool

First create a txt file.

 

 Run the command prompt as an administrator, jump to the sysmon directory with the cd command, and enter the command sysmon.exe -i 20154310.txt to install the software

 

start sysmon

Right-click My Computer→Manage→Event Viewer→Application and Service Log→Microsoft→Windows→Sysmon→Operational to view the log file

find my backdoor file

 

 

Malware analysis with SysTracer

Use the systracer tool to create 4 snapshots, which are

snapshot#1 Before the backdoor program starts, the system is in normal state

  snapshot#2 Start the backdoor to connect back to Linux

  snapshot#3 Linux controls windows to create a file in its D drive directory

  snapshot#4 closes the backdoor, after disconnecting, the host status

Compare the two

eg 1 and 2

You can see that after opening the backdoor, the contents of the above three registry entries have been modified. In Application - Opened Ports, you can see the IP and port number of the backdoor program.

 

 

Malware analysis with Process Explorer

 

 

Double-click to open the process, and you can see the IP address and port of the connected Linux in the TCP/IP tab.

 

 

3. Experimental experience and experience

 There are many softwares used in this experiment, and I chose several of them as analysis tools for malicious code. To be honest, it is very easy to use these tools step by step. But light energy manipulation is not enough, and being able to query and understand the meaning of the captured data allows us to truly learn the corresponding knowledge and lay the foundation for the next experiment.

 

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=324676306&siteId=291194637
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com