Regshot (shown in Figure 3-8) is an open source registry comparison tool that allows you to take and compare two registry snapshots.
To use Regshot for malware analysis, simply take the first shot by clicking the 1st Shot button, and then run the malware and wait for it to finish making any system changes. Next, take the second shot by clicking the 2nd Shot button. Finally, click the Compare button to compare the two snapshots.
Example 3-1 displays a subset of the results generated by Regshot during malware analysis. Registry snapshots were taken before and after running the spyware ckr.exe.
Example 3-1. Regshot comparison results
Regshot Comments: Datetime: <date> Computer: MALWAREANALYSIS Username: username ---------------------------------- Keys added: 0 ---------------------------------- ---------------------------------- Values added:3 ---------------------------------- ❶ HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunckr:C:WINDOWSsystem32 ckr.exe ... ... ---------------------------------- Values modified:2 ---------------------------------- ❷ HKLMSOFTWAREMicrosoftCryptographyRNGSeed: 00 43 7C 25 9C 68 DE 59 C6 C8 9D C3 1D E6 DC 87 1C 3A C4 E4 D9 0A B1 BA C1 FB 80 EB 83 25 74 C4 C5 E2 2F CE 4E E8 AC C8 49 E8 E8 10 3F 13 F6 A1 72 92 28 8A 01 3A 16 52 86 36 12 3C C7 EB 5F 99 19 1D 80 8C 8E BD 58 3A DB 18 06 3D 14 8F 22 A4 ... ---------------------------------- Total changes:5 ----------------------------------
As you can see ckr.exe creates a value at HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun as a persistence
mechanism ❶. A certain amount of noise ❷ is typical in these results, because the random-number generator
seed is constantly updated in the registry.
As with procmon, your analysis of these results requires patient scanning to find nuggets of interest.