±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 4 Overall: 36205
New Yesterday: 1 Visitors: 155

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Can't locate folder nor files generated by malware

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

barburon
Member
 

Can't locate folder nor files generated by malware

Post Posted: Nov 08, 19 17:09

Hello everybody!

I learned here so much the last I had a question, would love to get your opinion on the following.

As a part of malware analysis course in college, we were asked to analyze a malicious file (WhatAmI.exe)

I'v tracked the file progress, and noticed that upon opening, a folder with a random name is being created under the %TEMP% folder. More interesting is the creation of a file named cracker.txt in %TEMP% (not in the new folder).

"cracker.txt" is (apparently) generated on C:\users\IEUser\AppData\Local\Temp\cracker.txt.
The folder is (supposed to be) on: C:\users\IEUser\AppData\Local\Temp\_MEI32602 (the name randoms)

I guess I am missing something, but upon clicking the file (on flare VM) I just can't manage to find that cracker.txt in %TEMP%, nor the generated folder. are they being deleted?

I see there's no options for adding screenshots here, so I really hope I made myself clear.
If you got an idea on why I can't locate cracker.txt (nor the folder) - please tell me Smile

Thank you!
*still a noob Smile

Tal  
 
  

athulin
Senior Member
 

Re: Can't locate folder nor files generated by malware

Post Posted: Nov 08, 19 17:56

- barburon
I guess I am missing something, but upon clicking the file (on flare VM) I just can't manage to find that cracker.txt in %TEMP%, nor the generated folder. are they being deleted?


You have to ask yourself: do you trust in your finding that that file has been created? If you do ... what explanation would there be for your later finding? (As you don't provide any relevant details, I would even guess.)

You should be able to produce at least some hypotheses about what is going on. Deletion by the program you executed is one. Is deletion by some other program a possibility? Are you sure it even *is* deleted? Are you sure the creation of the file was successful?
Your methodology is not entirely clear -- so perhaps you chosen method or tool is not up to the job?

You have to identify possible scenarios, and you have to device methods for testing if they are correct or not.

For example, if a file is deleted ... can you determine that such deletion has taken place? (Not just conclude it, but actually show it: a deleted file would leave traces in at least a couple of places ... ) You may also need to ask yourself if the VM you're using is cleaned up enough that you don't have random process creating random files, and so may affect traces of deletion.  
 
  

tracedf
Senior Member
 

Re: Can't locate folder nor files generated by malware

Post Posted: Nov 09, 19 03:32

Check out ProcMon. It can be used to monitor process activity including file operations.

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon  
 
  

barburon
Member
 

Re: Can't locate folder nor files generated by malware

Post Posted: Nov 09, 19 14:25

Thank you for the help!

I self created a text file named "cracker.txt" (which the malware looked for). A string that was written to the text file after launching the malware was the solution to the exercise Smile

Tal  
 

Page 1 of 1