0% found this document useful (0 votes)
14 views8 pagesLab 14
DFTT Lab No. 14
Uploaded by
Muhammad TariqCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
0% found this document useful (0 votes)
14 views8 pagesLab 14
DFTT Lab No. 14
Uploaded by
Muhammad TariqCopyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF or read online on Scribd
/ 8
en
cet?
Figure 11.32: Executing KPCR scan
Lab 4: Malware analysis
The term “Malicious Software” is referred to by the single-word term
“Malware.” The word “malware” refers to a broad range of dangerous
software created by online criminals. Cyberattacks are now affecting an
increasing number of internet users, and enterprises of every size are
increasingly a target. The malicious software allows for backdoor entrance
into computers, allowing for the theft of many types of data, including private
information. Understanding how a piece of malware works and its potential
consequences is the process of malware analysis. It is important to
understand that malware can have a wide range of activities and that malware
code can vary greatly. These could manifest as Trojan horses, worms,
malware, and viruses. Each sort of malware collects data about the infected
machine without the user’s knowledge or consent.
Aim: To perform malware analysis of Pony malware in windows.
Pony virus, often referred to by the names Pony Stealer, Pony Loader,
FarelT, and other variations, is a password-stealing program that has the
ability to decrypt or unlock credentials for over 110 different apps, including
VPN, FTP, e-mail, instant messaging, Web browsers, and many more. Pony
Stealer is incredibly harmful, and once it takes over a computer, it turns it
into a botnet that it may exploit to spread to other computers.
Pony is more than simply a tool for stealing credentials or using bitcoin.
Actually, it is a botnet controller that preys on Windows computers. In order
to create and administer its botnets, it includes a control panel, database and
user administration, logging, and statistics.
Prerequisites:
1. Download the Pony malware sample from https://any.run/malware-
trends/pony.
2. Extract the file (as shown in figure 11.33) from password protected
zipped file.
Select a Destination and Extract Files
Files will be extracted to this folder:
needed
7) snow ef
i ee ee
is password protected, Please enterine
| password inine box below. a
seeereee] Cancel |
Password
Figure 11.33: Malware is password protected
3. Use the extracted file carefully to get info regarding the pony malware
using the tools listed as follows:
.
Download the HxD hex editor. Link: https://mh-nexus.de/en/hxd
Download Exeinfo PE, PE file identification program. Link:
hittps://exeinfo-
Download PeStudio, Malware Initial Assessment Tool. Link:
hittps://www.winitor.com/
Note: Guidelines for malware analysis.
Virtual machines (VMs) should always be used for malware
analysis. VM should be updated and must be used in Host-Only
network configuration.
No USB drive should be plugged into the VM.
* No important data should be present on the VM.
* Disable all the shared folders between the Host and VM.
* Always use compressed and password-protected malware samples
only to prevent the random execution of malware.
Performing Malware Analysis:
HxD
Hex editors are among the most straightforward malware analysis tools, yet
they may be quite effective. A hex editor like HxD is made to display both
the ASCII interpretation and the file’s raw hexadecimal format.
1. Open the malware in the HxD hex editor.
2. Look for 4D 5A (signature) in the first Offset(h) under 00 and 01 (first
two bytes).
3. 4D SA refers to a Portable Executable (PE) file, i.e., (.exe) or (.d11)
files.
4. Search for the notice “program cannot be run in DOS mode” under the
Decoded text, verifying it is a PE program.
Figure 11.34: Opening the malware in HxD
Exeinfo PE
A little software called Exeinfo PE may be used to display numerous details
about any executable file. This tool assists in checking all the attributes of
(.exe) files and verifying them. You may alternatively rename the file, run
the .exe directly, or just delete it. The precise size and location of the
entrance are additional pieces of information. To put it simply, you have
access to a vast array of options for editing any Windows executable file.
1. Open the malware in Exelnfo PE.
[les | dc03077e03e0806198236070Sd018734c32Sacch#4b1235° | oy
Enty Pont: 0008312 00 |