5/25/24, 9:35 AM 5.

Basic Dynamic Analysis

Double-click the event with a Path ending in VideoDriver.

This event creates a new a Run key in the registry named "VideoDriver" with a value of "C:\WINDOWS\system32\vmx32to64.exe" -- this is a
persistence mechanism, to re-launch the malware when the machine restarts.

Viewing Beacons in Wireshark

In the Windows machine, in Wireshark, click Capture, Stop.

At the top left of the Wireshark window, in the Filter bar, type a filter of

frame contains malware

Press Enter to see the filtered packets, as shown below.

Every 30 seconds, the malware performs a DNS lookup for the domain "www.practicalmalwaresnalysis.com".

Click the line showing the first DNS request for www.practicalmalwareanalysis.com -- in the example above, it is packet 174.

In the top right of Wireshark, in the green filter bar, click the X button to clear the filter.

The packets following the DNS request appear, as shown below. Notice these items:

ARP request and reply to find the MAC address of the DNS resolver (colored pale yellow)
DNS request and reply (colored pale blue)
TCP handshake (SYN, SYN/ACK, ACK) to open port 444 (colored gray and pale pink)
A packet labeled "SSL Continuation Data"

https://samsclass.info/126/proj/pDC5.htm 6/7