a friend called me today because he opened an attachment of an email. It was a double zipped exe file - and malware:
I started to analyze the file: first with virustotal - then with radare2 and the free version of IDA-Pro. I tried to disassemble & decompile the file - but decompilation failed several times. I set up a virtual-machine and tried to do an dynamic analysis of the obvious malware - but it seems that it has VM- and debugging-detection.
Virustotal gave me several results - my sample seems to be new; only 2 engines detected it as malware. Now - some hours later more engines found "something":
Ad-Aware Gen:Variant.Razy.64218
Arcabit Trojan.Razy.DFADA
Cyren W32/Trojan.KQSF-4006
ESET-NOD32 Win32/TrojanDownloader.Nymaim.BA
GData Win32.Trojan-Downloader.Nymaim.3J4DDZ
eScan Gen:Variant.Razy.64218
Qihoo-360 HEUR/QVM20.1.0000.Malware.Gen
But what malware do I have here?
Virustotal says that the malware opens/reads/alters following files:
C:\7e1495fc92e7062775399d62cc2a7bc62f54955cd8ce4f8d9af61c9b71b4eadd
\\.\PIPE\lsarpc
C:\WINDOWS\system32\winsock.dll
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\netmsg.dll
rpcrt4.dll
shlwapi.dll
version.dll
shell32.dll
user32.dll
advapi32.dll
ntdll.dll
kernel32.dll
and starts the following process:
C:\WINDOWS\system32\drwtsn32 -p 668 -e 172 -g
After disassembly I found some clues that the malware possibly uses HttpOPenRequestA via wininet - so it maybe tries to communicate with the internet.
I found pretty much stuff - but:
How can I proof that the malware was executed and infected the system?
Of course one step is to search for files which were created during the possible execution time. But it should be possible to spoof the timestamps - so comparing the files on the possible infected pc with some clean files via hashsums is maybe the better way.
But where can I find "clean files"? Or is there a better way to proof the infection?
Thank you & cheers!
Edit:
The questions asked & answered here are good as a walkthrough for infected systems. But my question is how can I find out whether my system is compromised or not espacially for this new kind of malware. It cannot be a solution to nuke every system as prevention....