SYSTEMBC ROOT ACCESS

TROJAN MALWARE
ANALYSIS

EKRMA ELNOUR
 Outlines
1.BACKGROUND
SETTING UP THE

INTRODUCTION VMs, and Tools

ENVIRONMENT
definition of malware and RAT
The VMs and Network configuration.
02
01 03

DYNAMIC ANALYSIS
STATISTICAL ANALYSIS Analysis after running the malware CONCLUSION
Analysis before running the malware summary of the process and findings

05
04 06

1
Introduction
RAT

Malware
01 MALWARE
malicious software is intrusive software that

is designed to damage and destroy

computers and computer systems. Malware

is a contraction for .

02 RAT
Root Access Trojans used to infect computer

systems to gain high privilege access as

know as “Root” or Administrator privilege.

3
 Tools
these are the main tools used during the

analysis process
REMnux VM
INetsim
Virus-total
FLARE VM
Wireshark
RegShot
proc_watch

8
 Setting-up the Environment

FLARE VM installed on Windows 10 x64 base system.

REMnux VM installed both at VMware Workstation 16 Pro 16.2.2 .
VMware virtual network card with host-only and IP’s of 10.1.1.0 for

FLARE VM isolating the two machines from the host system.

REMnux VM
The static and dynamic analysis was
INETsim software configured on the REMnux and connection tested INETsim was used here to simulate

done on this machine. internet service

two snapshot were taken as a recovery point for the FLARE one for

Memory Memory
4 GB the windows 10 and one after configuring the FLARE. 2 GB
Disk Disk
60 GB 60 GB
Processors Processors
2 cores (from Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz 2.81 GHz) 2 cores (from Intel(R) Core(TM) i7-7700HQ CPU @ 2.80GHz 2.81 GHz)
Network Network
NAT (IP address 10.0.0.3- Default Gateway 10.0.0.2) NAT (IP 10.0.0.2)

6
 STATISTICAL ANALYSIS
calculate the hash and upload

PEstudio was used to get

to Virus total and found to be

general information about the

malicious file reported as

file
network trojan.

01 02 03 04
the PEstudio show that there

FLOSS tool was used to search

are 36 indicators of malicious

for network related strings

use in this file some of them

different suspicious strings

already found in the FLOSS

found mainly related to network

search but here they are

activities. confirmed

14
 DYNAMIC ANALYSIS
a registry shot has been taken
process monitoring software

before and after and showed

proc_watch showed new lunch

malware creating key value for

of malicious executable "kexvi"

task schedule. .

05 06 07 08
Process Monitor has been

Wireshark network captured

lunched to monito has shown

multiple connection attempts to

repeated lunching attempts and

9 different malicious IP's

network activities.

128.31.0.34 - 131.188.40.189 - 154.35.175.225 - 171.25.193.9 - 193.23.244.244 - 194.109.206.212 - 199.58.81.140 - 204.13.164.118 - 86.59.21.38

Virus-total Results
FLOSS Results
PEstudio: Header information
PEstudio: Blacklisted functions
REGshot- Results
Proc_wathch Results
Process Monitor Results
Wireshark Results
 Conclusion

The software tested during the writing of this report found to have malicious.

The malware has been first compiled on Fri Sep 13 20:22:07 2019 UTC.
55
malware creates an executable in the path C:\ProgramData\trcn\ kexvi.exe this

file is the launcher for the connection through the network

55 security vendors and 2 sandboxes

The nine IP’s that has been reported as malicious. flagged this file as malicious

The later part of the behavior had not been tested due to the environment

restrictions, in more sophisticated environment needed.

5
References https://www.cisco.com/c/en/us/products/security/advance

d-malware-protection/what-is-malware.html
https://www.sans.org/tools/remnux/
https://www.wireshark.org
https://www.inetsim.org/downloads.html