Professional Documents
Culture Documents
Basic Dynamic Analysis 5
Basic Dynamic Analysis 5
This event creates a new a Run key in the registry named "VideoDriver" with a value of "C:\WINDOWS\system32\vmx32to64.exe" -- this is a
persistence mechanism, to re-launch the malware when the machine restarts.
At the top left of the Wireshark window, in the Filter bar, type a filter of
Every 30 seconds, the malware performs a DNS lookup for the domain "www.practicalmalwaresnalysis.com".
Click the line showing the first DNS request for www.practicalmalwareanalysis.com -- in the example above, it is packet 174.
In the top right of Wireshark, in the green filter bar, click the X button to clear the filter.
The packets following the DNS request appear, as shown below. Notice these items:
ARP request and reply to find the MAC address of the DNS resolver (colored pale yellow)
DNS request and reply (colored pale blue)
TCP handshake (SYN, SYN/ACK, ACK) to open port 444 (colored gray and pale pink)
A packet labeled "SSL Continuation Data"
https://samsclass.info/126/proj/pDC5.htm 6/7