Identifying the registry entry, files dropped, and running processes that are related to the malware requires tools. There are existing tools that we can use to extract these objects. There are two analysis events we should consider: analysis after the malware has been executed and analysis before the malware executes. Since our aim for this chapter is to extract components, we will discuss the tools that can help us find suspected files. Analysis tools that are used after we have extracted our suspected malware will be discussed in further chapters.
When a system has already been compromised, the analyst would need to use tools that can identify suspected files. Each suspected file will be analysed further. To start off, we can identify it based on persistence.
- List down all processes and their respective file information
- From the list of known registry persistence paths, look for entries containing the file paths
- Extract the suspected files
The above steps may require pre-existing tools from Microsoft Windows, such as:
- The Registry Editor (regedit/regedt32) to search the registry
- You can also use the command line for accessing the registry reg.exe, as seen in the following screenshot:
- Task manager (taskmgr) to list down the processes
- Windows Explorer (explorer) or Command prompt (cmd) to traverse directories and retrieve the files.
However, there are also third-party tools that we can use that can help us list down suspected files. Here are a few we will briefly discuss:
- Autoruns
- Process explorer