The malware analyzed for this project is called whoami.exe. It was written for educational purposes. The malware was analyzed in a virtual environment. Network connection was simulated using inetsim on a remnux VM. DNS resolution was simulated using ApateDNS.
- Strings/FLOSS
- Detect-It-Easy
- Dependencies
- PE-Bear
- RisohEditor
- Process Monitor
- Process Explorer
- Regshot
- Inetsim, ApateDNS, Wireshark
The malware examined for this project is likely a trojan horse. It is attempting to disguise as the windows command whoami, and tries to get an unknown exe from a remote server. The malware acts identically to the original whoami function, but as stated in the network section, the malware returns the user in all uppercase, while the default whoami returns it as a lowercase string. The malware spends a significant amount of energy trying to disguise itself, run as a background process, and gain information about the infected computer’s network. The biggest indicator of this malware is the network activity, the domain it is trying to connect to is only used by developers to test their code and is unusual for a program to try to connect to one of these services The malware seems to also contain statically linked libraries, potentially for the executable file it tries to download to use.