Notifications
Clear all

Can't locate folder nor files generated by malware

4 Posts
3 Users
0 Likes
729 Views
(@barburon)
Posts: 11
Active Member
Topic starter
 

Hello everybody!

I learned here so much the last I had a question, would love to get your opinion on the following.

As a part of malware analysis course in college, we were asked to analyze a malicious file (WhatAmI.exe)

I'v tracked the file progress, and noticed that upon opening, a folder with a random name is being created under the %TEMP% folder. More interesting is the creation of a file named cracker.txt in %TEMP% (not in the new folder).

"cracker.txt" is (apparently) generated on C\users\IEUser\AppData\Local\Temp\cracker.txt.
The folder is (supposed to be) on C\users\IEUser\AppData\Local\Temp\_MEI32602 (the name randoms)

I guess I am missing something, but upon clicking the file (on flare VM) I just can't manage to find that cracker.txt in %TEMP%, nor the generated folder. are they being deleted?

I see there's no options for adding screenshots here, so I really hope I made myself clear.
If you got an idea on why I can't locate cracker.txt (nor the folder) - please tell me )

Thank you!
*still a noob )

Tal

 
Posted : 08/11/2019 5:09 pm
(@athulin)
Posts: 1156
Noble Member
 

I guess I am missing something, but upon clicking the file (on flare VM) I just can't manage to find that cracker.txt in %TEMP%, nor the generated folder. are they being deleted?

You have to ask yourself do you trust in your finding that that file has been created? If you do … what explanation would there be for your later finding? (As you don't provide any relevant details, I would even guess.)

You should be able to produce at least some hypotheses about what is going on. Deletion by the program you executed is one. Is deletion by some other program a possibility? Are you sure it even *is* deleted? Are you sure the creation of the file was successful?
Your methodology is not entirely clear – so perhaps you chosen method or tool is not up to the job?

You have to identify possible scenarios, and you have to device methods for testing if they are correct or not.

For example, if a file is deleted … can you determine that such deletion has taken place? (Not just conclude it, but actually show it a deleted file would leave traces in at least a couple of places … ) You may also need to ask yourself if the VM you're using is cleaned up enough that you don't have random process creating random files, and so may affect traces of deletion.

 
Posted : 08/11/2019 5:56 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

Check out ProcMon. It can be used to monitor process activity including file operations.

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

 
Posted : 09/11/2019 3:32 am
(@barburon)
Posts: 11
Active Member
Topic starter
 

Thank you for the help!

I self created a text file named "cracker.txt" (which the malware looked for). A string that was written to the text file after launching the malware was the solution to the exercise )

Tal

 
Posted : 09/11/2019 2:25 pm
Share: