Posted by: Dan O'Connor
backdoor, command and control, communication, digital forensics
Wow really I can’t wait to get those.
I got a fake groupon email today with a zip attachment that had a an exe inside.
First thing was to get it copied on to my VM system ( and hope it does not do something silly while running in a VM ).
Then get a few of my favorite utils fired up. For this I am going to just start with CaptureBAT and see what happens then go from there.
We are off to a good start, it did run. It went off as a running process of the same name. Here is some other things it did;
- Dropped a file to “Documents and Settings\All Users\svchost.exe”
- Created a persistent method of launching, HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SunJavaUpdateSched: “C:\Documents and Settings\All Users\svchost.exe”
What I have not seen yet is it make a network connection out.