Join Us!

Notifications
Clear all

Can't locate folder nor files generated by malware  

  RSS
barburon
(@barburon)
New Member

Hello everybody!

I learned here so much the last I had a question, would love to get your opinion on the following.

As a part of malware analysis course in college, we were asked to analyze a malicious file (WhatAmI.exe)

I'v tracked the file progress, and noticed that upon opening, a folder with a random name is being created under the %TEMP% folder. More interesting is the creation of a file named cracker.txt in %TEMP% (not in the new folder).

"cracker.txt" is (apparently) generated on C\users\IEUser\AppData\Local\Temp\cracker.txt.
The folder is (supposed to be) on C\users\IEUser\AppData\Local\Temp\_MEI32602 (the name randoms)

I guess I am missing something, but upon clicking the file (on flare VM) I just can't manage to find that cracker.txt in %TEMP%, nor the generated folder. are they being deleted?

I see there's no options for adding screenshots here, so I really hope I made myself clear.
If you got an idea on why I can't locate cracker.txt (nor the folder) - please tell me )

Thank you!
*still a noob )

Tal

Quote
Posted : 08/11/2019 5:09 pm
athulin
(@athulin)
Community Legend

I guess I am missing something, but upon clicking the file (on flare VM) I just can't manage to find that cracker.txt in %TEMP%, nor the generated folder. are they being deleted?

You have to ask yourself do you trust in your finding that that file has been created? If you do … what explanation would there be for your later finding? (As you don't provide any relevant details, I would even guess.)

You should be able to produce at least some hypotheses about what is going on. Deletion by the program you executed is one. Is deletion by some other program a possibility? Are you sure it even *is* deleted? Are you sure the creation of the file was successful?
Your methodology is not entirely clear – so perhaps you chosen method or tool is not up to the job?

You have to identify possible scenarios, and you have to device methods for testing if they are correct or not.

For example, if a file is deleted … can you determine that such deletion has taken place? (Not just conclude it, but actually show it a deleted file would leave traces in at least a couple of places … ) You may also need to ask yourself if the VM you're using is cleaned up enough that you don't have random process creating random files, and so may affect traces of deletion.

ReplyQuote
Posted : 08/11/2019 5:56 pm
tracedf
(@tracedf)
Active Member

Check out ProcMon. It can be used to monitor process activity including file operations.

https://docs.microsoft.com/en-us/sysinternals/downloads/procmon

ReplyQuote
Posted : 09/11/2019 3:32 am
barburon
(@barburon)
New Member

Thank you for the help!

I self created a text file named "cracker.txt" (which the malware looked for). A string that was written to the text file after launching the malware was the solution to the exercise )

Tal

ReplyQuote
Posted : 09/11/2019 2:25 pm
Share: