You are browsing the archive for Malware Analysis.

Beyond good ol’ Run key, Part 28

February 23, 2015 in Anti-Forensics, Autostart (Persistence), Compromise Detection, Forensic Analysis, Malware Analysis

I was curious if any of the phantom DLLs that I wrote about before still exist on Windows 10 TP. It turns out that they do, but less of them exist than could leveraged as a persistence mechanism when compared to the older versions of OS.

Here is a list of groups I found; the process name is in bold and if you see the DLL name in the parenthesis (following the process name) it means that particular DLL is responsible for loading the actual phantom DLL.

%SYSTEM%\Dism.exe (WimProvider.DLL)
  • %SYSTEM%\Dism\wimgapi.dll
  • %SYSTEM%\DismCore.dll
%SYSTEM%\FileHistory.exe (clr.dll)
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\ole32.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\urlmon.dll
%SYSTEM%\mmc.exe (clr.dll)
  • %WINDOWS%\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\oleaut32.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\shell32.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_MSIL\MIGUIControls\v4.0_1.0.0.0__31bf3856ad364e35\ntdll.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\comctl32.dll
  • %WINDOWS%\Microsoft.Net\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\uxtheme.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\api-ms-win-core-winrt-l1-1-0.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\mscoree.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\ole32.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\VERSION.dll
%SYSTEM%\Narrator.exe (MSTTSEngine.DLL)
  • %SYSTEM%\speech\engines\tts\MSTTSLocEnUS.DLL (I have not explored it, but there is a possibility that on non-English Windows it would be a different localization DLL)
  • cmnet.dll
  • %WINDOWS%\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationHost_v0400.dll
%SYSTEM%\provtool.exe (ProvEngine.dll)
  • MvHelper.dll
  • %SYSTEM%\msfte.dll
  • %SYSTEM%\msTracer.dll
  • %SYSTEM%\msfte.dll
  • %SYSTEM%\msTracer.dll

Probably the most interesting are SearchIndexer.exe and SearchProtocolHost.exe as they are running by default. Here is a screenshot capturing the moment when %SYSTEM%\msfte.dll is present on the system and user types something in the Search Box


Year of Sheep starts with a bag full of atoms

February 19, 2015 in Compromise Detection, Malware Analysis

It’s Chinese New Year so here is a bunch for atoms for ya to play with.

Happy New Year!

p.s. I you find any mistakes, please let me know. This list SHOULD NOT be taken at its face value as there are a lot of ways for it to get contaminated. It is much shorter than list of mutants, but I hope it’s better than nothing :-)

p.s.2. You may also grab list of mutants