Lab 1: Regshot

Overview

The purpose of this lab is to gain familiarity using the Regshot tool, and analyzing the output it generates.

Usage

For a quick summary of how to use Regshot take a look at the Regshot Guide.

Part 1: avzhan

For this exercise run the avzhan malware (found at c:\malware\avzhan\avzhan.exe). Let it run for roughly 60 seconds before taking a second snapshot.

Run as Administrator

Make sure to run this specimen as admin by right clicking and selecting Run as Administrator.

Question 1.1

Where does avzan copy itself to?

Answer

C:\windows\system32 or C:\Windows\SysWOW64.

Question 1.2

What is the name of the .exe file it copies itself to?

Answer

It is randomly generated each time

Question 1.3

What is the display name of the service it creates?

Answer

juyi

Question 1.4

What is the description of the service it creates?

Answer

tuy

Question 1.5

If you were to create a list of indicators to locate avzhan infections throughout an enterprise, what things would you include?

Answer

There are several options, including the name and description of the service, as well as the hash of the file dropped.

Part 2: Wannacry

For this exercise, use Regshot to analyze some of the system changes made by the Wannacry malware (found at c:\malware\wannacry\wannacry.exe).

To run Wannacry (after taking your first Regshot snapshot) double click on it from Windows explorer. Let it run until you get the popup about your data being encrypted, and then take your second snapshot (good thing this is just inside a virtual machine, right?)

Question 2.1

What directories does Wannacry create under c:\malware\wannacry?

Answer

• msg
• TaskData
• TaskData\Data
• TaskData\Data\Tor
• TaskData\Tor

Question 2.2

What are the names of the single-letter files that Wannacry extracts under c:\malware\wannacry?

Answer

• b.wnry
• c.wnry
• f.wnry
• r.wnry
• s.wnry
• t.wnry
• u.wnry

Question 2.3

What are the names of the .exe files Wannacry extracts under c:\malware\wannacry?

Answer

• @[email protected]
• taskhsvc.exe
• tor.exe
• taskdl.exe
• taskse.exe

Question 2.4

If you were to create a list of indicators to locate Wannacry infections throughout an enterprise, what things would you include?

Answer

Any of the files mentioned.

Part 3: Stabuniq

For this analyze the stabuniq malware (found at c:\malware\stabuniq\stabuniq.exe).

Run as Administrator

Make sure to run this specimen as admin by right clicking and selecting Run as Administrator.

Question 3.1

What is the name of the .exe file that Stabuniq creates?

Answer

One of

• jqs.exe
• issch.exe
• smagent.exe
• acroiehelper.exe
• groovemonitor.exe

Question 3.2

What is the full path of the .exe file that Stabuniq creates?

Answer

One of

• C:\Program Files (x86)\Common Files\Update
• C:\Program Files (x86)\Common Files\Bin
• C:\Program Files (x86)\Common Files\Uninstall
• C:\Program Files (x86)\Common Files\Helper
• C:\Program Files (x86)\Common Files\Installer

Question 3.3

What registry keys does Stabuniq use for persistence?

Answer

The following registry keys

• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run,
• HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run,
• HKU\S-1-5-21-4215912032-2963297257-152808090-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, (1)
• HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run

1. If you are examining the output in the lab-data-files, the key will be HKU\S-1-5-21-1758362503-4249257422-3593012196-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\Run instead.

Question 3.4

If you were to create a list of indicators to locate Stabuniq infections throughout an enterprise, what things would you include?

Answer

Any of the registry keys listed, or combinations of directories and filenames