Course Name/ Code Issue Date: 03 / 3 / 2019

Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

Department of Forensic Computing and Cyber Security

College of Computer Science and Information Technology

Lab 4
Defense Mechanisms
Rashid Tahir / Naveed Ahmad
Hands-on Malware Hunting

1. Objective
Following are the objectives of this lab:
• To get familiar with the tools for detecting an infection
• To understand the behavior of different types of malwares
• To get familiar with online databases for checking malware hashes
• To understand how DLLs and registries are leveraged by malware

2. Introduction
Any software that is unwanted and that has gained access to your system illegitimately is called
malware. It can be any software intentionally designed to cause damage to a host or network.
Malware does the damage after it is implanted or introduced in some way into a target computer and
can take the form of executable code, scripts, active content, and other types of software. It can have
many types such as computer viruses, worms, Trojan horses, ransomware, spyware, adware, etc.
Malware is different from software that causes unintentional harm due to some deficiency, which is
typically described as a software bug.

In this lab, we will see the behavior of a few different types of malware and how it impacts a machine.
We will then use some basic tools and techniques to study and understand the effects of the malware.
Malware can create and modify DLLs, it can create and modify registry entries, it can masquerade as
a benign application, it can run at startup, it can modify the homepage of your browser, etc. We will
see how malware does some of these things today and how we can detect these changes.

3. Tools and Techniques

Process Explorer
Process Explorer is a free Windows task manager and system monitoring tool that lists all currently
running programs/processes. It details which programs in a user's system have a specific file, directory
or resource open.

Process Explorer has two colorful windows of information. The top window shows a real-time list of
active processes, a description of what the processes are doing, the CPU and memory usage, and the
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

software company name. The processes are set up in a hierarchical view with parent process on top
and child processes beneath them.

The bottom window provides a zoomed-in look at the Windows processes, and it changes depending
on what mode Process Explorer is in. The modes include handle mode, which shows integer values
used as identifiers for the active processes and their threads, and DLL mode. The modes are specific
to the type of data Process Explorer displays, so if a user wants to investigate a DLL-version problem,
then Process Explorer should be in DLL mode.

Taking Action on a Process

You can quickly take action on any process by right-clicking on it and choosing from one of the options.
These options include:

• Window – Has options including Bring to Front, which can be useful to help identify the window
associated with a process. If there are no windows for that process, it will be grayed out.

• Set Priority – You can use this to configure the priority of a process. This is mostly useful for taming
a runaway process that you don’t want to kill.

• Kill Process – This quickly kills that process.

• Kill Process Tree – This kills not just the item in the list, but also the children of that parent process.

• Restart – Quite useful while testing, this just kills the process and then restarts it. It’s worth noting
that killing processes might result in lost data.

• Suspend – This handy option is great for troubleshooting when a process is out of control. You
can simply suspend the process rather than kill it, and check to see if anything is out of order.

• Check VirusTotal – This is a new option that we’ll explain further along. It’s quite handy really, as
it checks the hash of the process for malware or infections.

• Search Online – This will just search the web for the name of the process and return any hits.

Sigcheck
Sigcheck is a command-line utility that shows file version number, timestamp information, and digital
signature details, including certificate chains. It also includes an option to check a file’s status on
VirusTotal, a site that performs automated file scanning against over 60 antivirus engines, and an
option to upload a file for scanning.
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

ListDLLs
ListDLLs is a utility that reports the DLLs loaded into processes. You can use it to list all DLLs currently
loaded into all processes, or the DLLs loaded into a specific process, or to list the processes that have
a particular DLL loaded. ListDLLs can also display full version information for DLLs, including their
digital signature, and can be used to scan processes for unsigned DLLs (which are often used for DLL
injection attacks).

Process Monitor
Process Monitor, or ProcMon, is an advanced monitoring tool that allows you to see in real-time the
file system, registry, and process activity occurring in Windows.

Process Monitor captures a ton of data, but it doesn’t capture every single thing that happens on your
PC. For instance, Process Monitor doesn’t care if you move your mouse around, and it doesn’t know
whether your drivers are working optimally.

The Events that Process Monitor Captures

• Registry – this could be creating keys, reading them, deleting them, or querying them. You’ll be
surprised just how often this happens.

• File System – this could be file creation, writing, deleting, etc., and it can be for both local hard
drives and network drives.

• Network – this will show the source and destination of TCP/UDP traffic (but it doesn’t show the
data or payload).

• Process – These are events for processes and threads where a process is started, a thread starts
or exits, etc. This can be useful information in certain instances, but is often something you’d want
to look at in Process Explorer instead.

• Profiling – These events are captured by Process Monitor to check the amount of processor time
used by each process, and the memory use. Again, you would probably want to use Process
Explorer for tracking these things most of the time, but it’s useful here if you need it.

Task 1 : Hunt for malwares in your machine (using Process explorer, anyrun etc), try to find out
any malicious process and remove it by following the steps discussed in lab. If you are unable
to find a malicious process in your machine, perform the malware hunting process in your
sibling’s or friend’s machine to find out a malicious process and kill the process and remove its
files.

HijackThis
HijackThis is written specifically to detect and remove browser hijacks, or software that takes over
your web browser, alters your default home page and search engine and other malicious things.
Unlike typical anti-spyware software, HijackThis does not use signatures or target any specific
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

programs or URL's to detect and block. Rather, HijackThis looks for the tricks and methods used by
malware to infect your system and redirect your browser.

HijackThis, is a freeware spyware-removal tool for Microsoft Windows notable for taking a heuristic
approach to detecting malware - rather than relying on a database of known spyware, it quickly scans
a user's computer, creates a list of differences from a known spyware-free environment and allows
the user to decide what from the list needs to be removed. HijackThis is used primarily for diagnosis
of spyware.

Here is an overview of the HijackThis log entries which you can use to jump to the information you
are looking for:

• R0, R1, R2, R3 - Internet Explorer Start/Search pages URLs

• F0, F1 - Autoloading programs
• N1, N2, N3, N4 - Netscape/Mozilla Start/Search pages URLs
• O1 - Hosts file redirection
• O2 - Browser Helper Objects
• O3 - Internet Explorer toolbars
• O4 - Autoloading programs from Registry
• O5 - IE Options icon not visible in Control Panel
• O6 - IE Options access restricted by Administrator
• O7 - Regedit access restricted by Administrator
• O8 - Extra items in IE right-click menu
• O9 - Extra buttons on main IE button toolbar, or extra items in IE 'Tools' menu
• O10 - Winsock hijacker
• O11 - Extra group in IE 'Advanced Options' window
• O12 - IE plugins
• O13 - IE DefaultPrefix hijack
• O14 - 'Reset Web Settings' hijack
• O15 - Unwanted site in Trusted Zone
• O16 - ActiveX Objects (aka Downloaded Program Files)
• O17 - Lop.com domain hijackers
• O18 - Extra protocols and protocol hijackers
• O19 - User style sheet hijack
• O20 - AppInit_DLLs Registry value autorun
• O21 - ShellServiceObjectDelayLoad Registry key autorun
• O22 - SharedTaskScheduler Registry key autorun
• O23 - Windows NT Services

For more detail about HijackThis logs visit this site https://www.lifewire.com/how-to-analyze-
hijackthis-logs-2487503

TASK 2: Checking hashes using process explorer

Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

If you spot a process which looks suspicious, you can right-click it, and select "Check VirusTotal".
Process Explorer then submits the file hash for checking and displays the number of antivirus engines
which detect it as a threat.

• To check hash of a specific process: right click the process → “Check Virus Total” , you will see
“Hash submitted” statement in front of process, wait for few seconds it will show a finger like
“4/68” which indicates how many antiviruses considered it as a threat and on clicking on this ratio
it will open detailed report in a web browser.

• To check hash of all the runing processes: from top bar “Options”→ “VirusTotal.com” → “Check
VirusTotal.com”

The new column VirusTotal will be added automatically, and initially show "Hash submitted...". After
a few seconds it will show the result:
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

Processes that run as System and not as standard user, won't show a VirusTotal result until we restart
Process Explorer with elevated permissions

If you have processes that show "Unknown" in the VirusTotal column, it means that specific file and
version has never been uploaded to VirusTotal. To automatically upload these files to VirusTotal select
“Options”→ “VirusTotal.com”→”Submit Unknown Executables”
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

To submit a file to VirusTotal manually, any file (not only "Unknown" ones), which means to upload
and re-scan the file, double click a process, go to the Image tab and click this button:

NOTE: VirusTotal.com is a multi-engined scanner service from Google with more than 60 different
anti-virus products.

The VirusTotal integration in Process Explorer is very fast because it only sends file hashes, a unique
content identifier, and not the files itself. It is dependent on previous scans on VirusTotal for every
specific file and version, but because VirusTotal is a heavily used worldwide service you often get fresh
results for most files.

NOTE: If you find more than one suspicious process and want to terminate them, it's recommended
to first suspend (right click option) them. As many malware infections include multiple processes they
can easily restart each other when only one is killed, so suspending them first is a safer way.

Default colors used in Process Explorer:

Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

Characteristic of suspicious

• Processes that have no name

• Processes that have no icon
• Have no description or company name
• unsigned Microsoft images
• live in Windows or User profile
• Packed executables
• Include strange URLs in their strings
• have open TCP/IP connections
• host suspicious DLLs or services

TASK 3: Checking file and executable images for infection

Now, we will scan the system for suspicious executable images by typing the following in cmd:
> sigcheck64 -e -s -u c:\

Syntax: sigcheck64 [parameters] [path to be scanned]

Parameter Description
-a Show extended version information. The entropy measure reported is the bits
per byte of information of the file's contents.
-c CSV output with comma delimiter
-e Scan executable images only (regardless of their extension)
-i Show catalog name and signing chain
-m Dump manifest
-s Recurse subdirectories
-u If VirusTotal check is enabled, show files that are unknown by VirusTotal or
have non-zero detection, otherwise show only unsigned files.
-vt Before using VirusTotal features, you must accept VirusTotal terms of service.
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

It scans your Windows computer for dangerous and unsafe. You should investigate the purpose of
any files that are not signed.

TASK 4: DLL checking

In this task, we will list running process which are using unsigned DLLs. In cmd, type:

> listdll64 -u
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

Usage of listdll:

listdlls [-r] [-v | -u] [processname|pid]

listdlls [-r] [-v] [-d dllname]

Parameters Description
processname Dump DLLs loaded by process (partial name accepted).
pid Dump DLLs associated with the specified process id.
dllname Show only processes that have loaded the specified DLL.
-r Flag DLLs that relocated because they are not loaded at their base address.
-u Only list unsigned DLLs.
-v Show DLL version information.

TASK 5: Show processes that have loaded MSO.DLL.

dll

TASK 6: Registry Settings Search using Process Monitor

Knowing where in the registry application settings are stored will allow you do things like scan all
computers in the environment for a setting that should be in place.

The task is identify where in the registry Font and Font Size settings are stored for the Notepad
application.

Data Capture Steps:

1. Launch Process Monitor (procmon.exe)

2. Make sure Process Monitor is set to capture data; it should be by default.
a) Check that the “Capture” button does not have a red “X” over it. If it does have a red “X”
over it, simply click the capture button once to remove the “X”.

b) Check that events are being captured by viewing status information in the lower left corner

3. Launch Notepad
4. Enter some text into the Notepad document
5. Click on the Format menu and then on the Font menu item
I. In the Font window change the Font to “Batang”
II. In the Font window change the Size to “28”
III. Click on the “Ok” button
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

6. Save the Notepad document as Example1.txt

7. Close Notepad
8. Stop Process Monitor capture activity.

At this point we have captured File, Registry, and Process/Thread activity during a Font and Font Size
change in Notepad.exe in addition to all other activity occurring on the machine during the capture
period.

Data Review Steps:

1. Since we are only interested in Registry information, we will filter out File and Process information
by deselecting the “Show File System Activity” and “Show Process and Thread Activity” buttons.

2. Filter the displayed capture data by using the “Process Monitor Filter” window. This window
allows you to review filters, remove existing filters and to add new filters. Open Filter window by
clicking on Filter in the toolbar.

• Select “Process Name” from the Column list box

• Select “is” from the Relation list box
• Type “Notepad.exe” in the Value text box
• Select “Include” from the Action list box
• Click on the Add button
• Click on Apply and OK
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

The resulting displayed windows will only show registry information for Notepad.exe; still a lot of
data, but we are getting closer.

3. Now, we know we are looking for some type of registry operation that sets or writes a value,
specifically the Font and Font size values. So, perform on the fly filtering to exclude operations
circled above.

4. You do this by moving over a line item in the display area and right clicking. This brings up a
floating menu that allows you to “Include” and/or “Exclude" displayed data.

In short, right click over “RegOpenKey”, click “Exclude”, and click “Operation”. Repeat this process
for the other three operations shown above (RegQueryValue, RegCloseKey, and RegEnumValue).

5. This should leave us with a relatively small set of captured data in the display window. Scroll
through the remaining data to find an Operation called “RegSetValue”; this operation sounds
appropriate. So, perform on the fly filtering, by right clicking on a “RegSetValue” line item, but
instead of clicking on “Exclude” click on “Include”, and then on “Operation”.

6. With only registry information for the RegSetValue operation of the Notepad.exe process
showing in the display window, we have really narrowed our search down. Now, scroll through
the displayed data and pay attention to the “Detail” column and the “Path” column. While
scrolling through the data, you will notice a registry path that looks appropriate
(HKCU\Software\Microsoft\Notepad) and will find the word Batang associated with the
IfFaceName key.
Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

7. To go to the registry location identified under the Path column, highlighted above, right click on
the path and click on the “Jump To…” menu item. The Registry Editor will open and you will find
all of the format settings for Notepad including IfFaceName (Font) and iPointSize (Font Size).

TASK 7: Do a system scan using HijackThis and explain the results of your scan (using the
explanation for different section of results discussed in lab such as R1,R2,O4,O9,F2 etc). Also
identify any malicious entry in your results.
TASK 8: Generate log file using HijackThis and process it using ComputerHope hijcackThis log
processing tool. Compare the findings of this log processing tool with the findings of task 6.

1- Run the HaijackThis.exe

2- Click on Scan button

Course Name/ Code Issue Date: 03 / 3 / 2019
Defense Mechanisms / FC382 Due Date: 10 / 3 / 2019

3- Select 04 logs which are “Autoloading programs from Registry”.

4- Now save the log by clicking on “save log” button

5- View the log in notepad and explain it in brief

Note: You can use https://www.computerhope.com/cgi-bin/process.pl for explaining the content

of HijackThis log.