![]() Double click on Wireshark.exe string to look for referencesĪnd then double click on the sub_408B1D to jump to the function location where the string is embedded. Before we devise a technique to bypass these detection mechanisms, let’s first look at the code that is detecting these tools. We can see a lot of strings corresponds to known analyst’s tools like Wireshark, Sandbox, VirtualBox, etc. ![]() Load this specimen inside IDA pro and as stated in the previous article go to names window to see for any strings. However, let’s dig deep into this malware code functionality. ![]() (Please note that this is on the other machine where all the traffic from the infected machine is routed)īut as soon as we launch tools like Wireshark on the infected machines we can see that the malicious processes start exiting (above screenshot) which gives an indication that code inside the specimen exits if it finds some known analysis tools to be present on the machine. From above screenshot, we can see that the process generates a child process of the same name.įrom above, we can see that the malware specimen is trying to resolve a DNS name. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |