By running a query to search for any new keys created in the HKEY_USERS hive in the last 100 seconds, as we did previously for files, we can see the new “Shrug” key. This time we can use the registry table to see if any new entry has been created in the registry. If not, it creates a new registry key with the same name to write the installation parameters. This file first checks if the system is already infected. NET framework, so we can open it again with the debugger and see some interesting parts. Running the following query, we can see how the malware has written a new entry, pointing to the ‘shrug.exe’ file discovered with the first query.
This second table contains a set of predefined paths that the system uses to run programs automatically at startup. We can also use the ‘startup_items’ table. For that, we can use the ‘registry’ Osquery table, which allows us to query all the registry entries in the system. We are just searching for files written on Users directories in the last 100 seconds.Īdditionally, we can search for the new entry created in the registry hive. For example, if you remember the query we used to log files written on disk in Part 1 of this blog series, we can also use it here to detect the file planted on user temp directory. If we run the sample in our Osquery environment, we can easily detect this activity using a couple of queries. This is a common persistence mechanism that malware droppers use in order to stay in the system. The malware will be executed every time the user logs on. NET debugger, we can see that it first creates a new file in the user temp directory and writes a new value in the “CurrentVersionRun” registry key for the user space pointing to that file. This malware encrypts users' personal documents and requests an amount of Bitcoins to get all files restored back. NET framework, in particular a sample of Shrug ransomware. In this case, we will analyze a piece of malware built using the.
To do so, we will continue using Osquery to explore the registry and startup_items tables. In this post, we are going to see another common technique that malware uses persistence. Using Osquery, we were able to discover how it infects a system using a malicious Microsoft Office document and how it extracts and executes the payload.
%20(1).png "osquery usecases")
In that post, we followed the activity of the known Emotet loader, popular for distributing banking trojans. In the first part of this series, we saw how you can use Osquery to analyze and extract valuable information about malware’s behavior.
0 kommentar(er)
