Plagiarism Free Homework and Assignment Help

Module 07: Malware Threats

Module 07: Malware Threats

Module 07: Malware Threats

2 Hr 55 Min Remaining

Instructions Resources Help  100%

Module 07: Malware Threats

Scenario

Malware poses a major security threat to information security. Malware writers explore new attack vectors to exploit vulnerabilities in information systems. This leads to ever more sophisticated malware attacks, including drive-by malware, “maladvertising” (or “malvertising”) and advanced persistent threats. Although organizations try hard to defend themselves using comprehensive security policies and advanced anti-malware controls, the current trend indicates that malware applications are targeting “lower-hanging fruit”; these include unsecured smartphones, mobile applications, social media, and cloud services. This problem is further complicated, because of the challenges faced during threat prediction.

Assessing an organization’s information system against malware threats is a major challenge today, because of the rapidly changing nature of malware threats. One needs to be well-versed in the latest developments in the field and understand the basic functioning of malware to select and implement the controls appropriate for an organization and its needs.

The lab activities in this module provide first-hand experience with various techniques that attackers use to write and propagate malware. You will also learn how to effectively select security controls to protect your information assets from malware threats.

Objective

The objective of the lab is to create malware and perform other tasks that include, but are not limited to:

  • Create a Trojan and exploit a target machine
  • Create a virus to infect the target machine
  • Perform malware analysis to determine the origin, functionality, and potential impact of a given type of malware
  • Detect malware

Overview of Malware

With the help of a malicious application (malware), an attacker gains access to stored passwords in a computer and is able to read personal documents, delete files, display pictures, or messages on the screen, slow down computers, steal personal information, send spam, and commit fraud. Malware can perform various malicious activities that range from simple email advertising to complex identity theft and password stealing.

Programmers develop malware and use it to:

  • Attack browsers and track websites visited
  • Affect system performance, making it very slow
  • Cause hardware failure, rendering computers inoperable
  • Steal personal information, including contacts
  • Erase valuable information, resulting in substantial data losses
  • Attack additional computer systems directly from a compromised system
  • Spam inboxes with advertising emails

Lab Tasks

Ensure that the Windows Defender Firewall is Turn off on the machines you are using for the lab tasks in this module, as it blocks and deletes malware as soon as it is executed.

Attackers, as well as ethical hackers or pen testers, use numerous tools and techniques to gain access to the target network or machine. Recommended labs that will assist you in learning various malware attack techniques include:

  1. Gain access to the target system using Trojans
    • Gain control over a victim machine using the njRAT RAT Trojan
    • Hide a Trojan using SwayzCryptor and make it undetectable to various anti-virus programs
    • Create a server using the ProRat Tool
    • Create a Trojan server using Theef RAT Trojan
  2. Infect the target system using a virus
    • Create a virus using the JPS Virus Maker Tool and infect the target system
  3. Perform static malware analysis
    • Perform online malware scanning using VirusTotal
    • Perform a strings search using BinText
    • Identify packing and obfuscation methods using PEid
    • Find the portable executable (PE) information of a malware executable file using PE Explorer
    • Identify file dependencies using Dependency Walker
    • Perform malware disassembly using IDA and OllyDbg
  4. Perform dynamic malware analysis
    • Perform port monitoring using TCPView and CurrPorts
    • Perform process monitoring using Process Monitor
    • Perform registry monitoring using Regshot and jv16 PowerTools
    • Perform Windows services monitoring using Windows Service Manager (SrvMan)
    • Perform startup program monitoring using Autoruns for Windows and WinPatrol
    • Perform installation monitoring using Mirekusoft Install Monitor
    • Perform files and folder monitoring using PA File Sight
    • Perform device driver monitoring using DriverView and Driver Reviver
    • Perform DNS monitoring using DNSQuerySniffer

Next: Lab 1: Gain Access to the…

Live Chat

Module 07: Malware Threats

2 Hr 54 Min Remaining

Instructions Resources Help  100%

Lab 1: Gain Access to the Target System using Trojans

Lab Scenario

Attackers use digital Trojan horses to trick the victim into performing a predefined action on a computer. Trojans are activated upon users’ specific predefined actions, like unintentionally installing a piece of malicious software or clicking on a malicious link, and upon activation, it can grant attackers unrestricted access to all data stored on compromised information systems and cause potentially immense damage. For example, users could download a file that appears to be a movie, but, when opened, it unleashes a dangerous program that erases the hard drive or sends credit card numbers and passwords to the attacker.

Trojan horses work on the same level of privileges as victims. For example, if a victim has the privileges to delete files, transmit information, modify existing files, and install other programs (such as programs that provide unauthorized network access and execute privilege elevation attacks), once the Trojan infects that system, it will possess the same privileges. Furthermore, it can attempt to exploit vulnerabilities to increase its level of access, even beyond the user running it. If successful, the Trojan could use the increased privileges to install other malicious code on the victim’s machine.

An expert security auditor or ethical hacker needs to ensure that the organization’s network is secure from Trojan attacks by finding machines vulnerable to these attacks and making sure that anti-virus tools are properly configured to detect such attacks.

The lab tasks in this exercise demonstrate how easily hackers can gain access to the target systems in the organization and create a covert communication channel for transferring sensitive data between the victim computer and the attacker.

Lab Objectives

  • Gain control over a victim machine using the njRAT RAT Trojan
  • Hide a Trojan using SwayzCryptor and make it undetectable to various anti-virus programs
  • Create a server using the ProRat Tool
  • Create a Trojan server using Theef RAT Trojan

Overview of Trojans

In Ancient Greek mythology, the Greeks won the Trojan War with the aid of a giant wooden horse that the Greeks built to hide their soldiers. The Greeks left the horse in front of the gates of Troy. The Trojans, thinking that it was a gift from the Greeks that they had left before apparently withdrawing from the war, brought the horse into their city. At night, the hidden Greek soldiers emerged from the wooden horse and opened the city’s gates for their soldiers, who eventually destroyed the city of Troy.

Thus, taking its cue from this myth, a computer Trojan is a program in which malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can gain control and cause damage such as ruining the file allocation table on your hard disk.

Task 1: Gain Control over a Victim Machine using the njRAT RAT Trojan

Attackers use Remote Access Trojans (RATs) to infect the target machine to gain administrative access. RATs help an attacker to remotely access the complete GUI and control the victim’s computer without his/her awareness. They can perform screening and camera capture, code execution, keylogging, file access, password sniffing, registry management, and other tasks. The virus infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.

njRAT is a RAT with powerful data-stealing capabilities. In addition to logging keystrokes, it is capable of accessing a victim’s camera, stealing credentials stored in browsers, uploading and downloading files, performing process and file manipulations, and viewing the victim’s desktop.

This RAT can be used to control Botnets (networks of computers), allowing the attacker to update, uninstall, disconnect, restart, and close the RAT, and rename its campaign ID. The attacker can further create and configure the malware to spread through USB drives with the help of the Command and Control server software.

Here, we will use the njRAT Trojan to gain control over a victim machine.

The versions of the created client or host and appearance of the website may differ from what it is in this lab. However, the actual process of creating the server and the client is the same, as shown in this lab.

In this lab task, we will use the Windows 10 (10.10.10.10) machine as the attacker machine and the Windows Server 2016 (10.10.10.16) machine as the victim machine.

  1. By default, Windows 10machine selected, click Ctrl+Alt+Delete.

Alternatively, you can also click Ctrl+Alt+Delete button under Windows 10 machine thumbnail in the Resources pane or Click Ctrl+Alt+Delete button under Commands (thunder icon) menu.

  1. By default, Adminuser profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

Alternatively, you can also click Pa$$w0rd under Windows 10 **machine thumbnail in the **Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.

  1. Navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRATand double-click njRAT v0.7d.exe.

If a User Account Control window appears, click Yes.

If an Open File – Security Warning pop-up appears, click Run.

  1. The njRAT GUIappears along with an njRAT pop-up, where you need to specify the port you want to use to interact with the victim machine. Enter the port number and click Start.
  2. In this lab, the default port number 5552has been chosen.
  3. The njRAT GUI appears; click the Builderlink located in the lower-left corner of the GUI to configure the exploit details.
  4. The Builderdialog-box appears; enter the IP address of the Windows 10 (attacker machine) machine in the Host field, check the option Registy StarUp, leave the other settings to default, and click Build.

In this lab, the IP address of the Windows 10 machine is 10.10.10.10. This IP address might vary in your lab environment.

  1. The Save Aswindow appears; specify a location to store the server, rename it, and click Save.
  2. In this lab, the destination location chosen is Desktop, and the file is named exe.
  3. Once the server is created, the DONE!pop-up appears; click OK.
  4. Now, use any technique to send this server to the intended target through email or any other source (in real-time, attackers send this server to the victim).

In this lab, we copied the Test.exe file to the shared network location (CEH-Tools) to share the file.

  1. Click Windows Server 2016to switch to the Windows Server 2016 Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  2. Navigate to the shared network location (CEH-Tools), and then Copyand Paste the executable file (exe) onto the Desktop of Windows Server 2016.
  3. Here, you are acting both as an attackerwho logs into the Windows 10 machine to create a malicious server, and as a victim who logs into the Windows Server 2016 machine and downloads the server.
  4. Double-click the server (exe) to run this malicious executable.
  5. Click Windows 10to switch back to the Windows 10 As soon as the victim (here, you) double-clicks the server, the executable starts running and the njRAT client (njRAT GUI) running in Windows 10 establishes a persistent connection with the victim machine, as shown in the screenshot.
  6. Unless the attacker working on the Windows 10machine disconnects the server on their own, the victim machine remains under their control.
  7. The GUI displays the machine’s basic details such as the IP address, User name, and Type of Operating system.
  8. Right-click on the detected victim name and click Manager.
  9. The managerwindow appears with File Manager selected by default.
  10. Double-click any directory in the left pane (here, ProgramData); all its associated files and directories are displayed in the right pane. You can right-click a selected directory and manipulate it using the contextual options.
  11. Click on Process Manager. You will be redirected to the Process Manager, where you can right-click on a selected process and perform actions such as KillDelete, and Restart.
  12. Click on Connections, select a specific connection, right-click on it, and click Kill Connection. This kills the connection between two machines communicating through a particular port.
  13. Click on Registry, choose a registry directory from the left pane, and right-click on its associated registry files.
  14. A few options appear for the files; you can use these to manipulate them.
  15. Click Remote Shell. This launches a remote command prompt for the victim machine (Windows Server 2016).
  16. Type the command ipconfig/alland press Enter.
  17. This displays all interfaces related to the victim machine, as shown in the screenshot.
  18. Similarly, you can issue all other commands that can be executed in the command prompt of the victim machine.
  19. In the same way, click Services. You will be able to view all services running on the victim machine. In this section, you can use options to startpause, or stopa service.
  20. Close the Manager
  21. Now, right-click on the victim name, click Run File, and choose an option from the drop-down list to execute scripts or files remotely from the attacker machine.
  22. Right-click on the victim name, and then select Remote Desktop.
  23. This launches a remote desktop connection without the victim’s awareness.
  24. Remote Desktopwindow appears; hover the mouse cursor to the top-center area of the window. A down arrow appears; click it.
  25. A remote desktop control panel appears; check the Mouse
  26. Now, you will be able to remotely interact with the victim machine using the mouse.

If you want to create any files or write any scripts on the victim machine, you need to check the Keyboard option.

  1. On completing the task, close the Remote Desktop
  2. In the same way, right-click on the victim name, and select Remote Camand Microphone to spy on them and track voice conversations.
  3. Click Windows Server 2016to switch to the Windows Server 2016 Assume that you are a legitimate user and perform a few activities such as logging into any website or typing some text in text documents.
  4. Click Windows 10to switch back to the Windows 10 machine, right-click on the victim name, and click Keylogger.
  5. The Keylogger window appears; wait for the window to load.
  6. The window displays all the keystrokes performed by the victim on the Windows Server 2016machine, as shown in the screenshot.
  7. Close the Keylogger
  8. Right-click on the victim name, and click Open Chat.
  9. Chatpop-up appears; enter a nickname (here, Hacker) and click OK.
  10. A chat box appears; type a message, and then click Send.
  11. In real-time, as soon as the attacker sends the message, a pop-up appears on the victim’s screen (Windows Server 2016), as demonstrated in the screenshot.
  12. Click Windows Server 2016to switch to the Windows Server 2016 machine, you can observe the message from the hacker appears on the screen.
  13. Seeing this, the victim becomes alert and attempts to close the chatbox. Irrespective of what the victim does, the chatbox remains for open as long as the attacker uses it.
  14. Surprised by the behavior, the victim (you) attempts to break the connection by restarting the machine. As soon as this happens, njRAT loses its connection with Windows Server 2016, as the machine is shut down in the process of restarting.
  15. Click Windows 10to switch back to the attacker machine (Windows 10); you can see that the connection with the victim machine is lost.
  16. However, as soon as the victim logs in to their machine, the njRAT client automatically establishes a connection with the victim, as shown in the screenshot.
  17. Click Windows Server 2016to switch to the victim machine (Windows Server 2016). Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  18. Click Windows 10to switch back to the attacker machine (Windows 10); you can see that the connection has been re-established with the victim machine.

It might take some time to establish a connection with the victim.

  1. The attacker, as usual, makes use of the connection to access the victim machine remotely and perform malicious activity.
  2. On completion of this lab, click Windows Server 2016to switch to the Windows Server 2016 machine, launch Task Manager, look for the exe (32 bit) process, and click End task.
  3. This concludes the demonstration of how to create a Trojan using njRAT Trojan to gain control over a victim machine.

Question 1.1.1:

The default port used by njRAT is___________.

Question 1.1.2:

What is the IP address of the machine where njRAT is hosted?

10.10.10.10

10.10.10.16

10.10.10.19

10.10.10.13

Task 2: Hide a Trojan using SwayzCryptor and Make it Undetectable to Various Anti-Virus Programs

At present, numerous anti-virus software programs have been configured to detect malware such as Trojans, viruses, and worms. Although security specialists keep updating the virus definitions, hackers continually try to evade or bypass them. One method that attackers use to bypass AVs is to “crypt” (an abbreviation of “encrypt”) the malicious files using fully undetectable crypters (FUDs). Crypting these files allows them to achieve their objectives, and thereby take complete control over the victim’s machine.

Crypter is a software that encrypts the original binary code of the .exe file to hide viruses, spyware, keyloggers, and RATs, among others, in any kind of file to make them undetectable by anti-viruses. SwayzCryptor is an encrypter (or “crypter”) that allows users to encrypt their program’s source code.

Here, we will use the SwayzCryptor to hide a Trojan and make it undetectable by anti-virus software.

  1. Click Windows 10to switch to the Windows 10 machine, open any web browser (here, Google Chrome).In the address bar of the browser place your mouse cursor and click https://www.virustotal.com and press Enter.
  2. The VirusTotalmain analysis site appears; click Choose file to upload a virus file.
  3. An Opendialog box appears; navigate to the location where you saved the malware file exe in the previous lab (Desktop), select it, and click Open.
  4. Click Confirm uploadon the VirusTotal
  5. The VirusTotaluploads the file, scans it with the various anti-virus programs in its database, and displays the scan result, as shown in the screenshot.
  6. You can see that 62out of 71 anti-virus programs have detected exe as a malicious file. Minimize the web browser window.

The detection ratio might vary in your lab environment.

  1. Go to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Crypters\SwayzCryptorand double-click exe.
  2. The SwayzCryptor GUIappears; click ellipses icon below File to select the Trojan file.
  3. The Select a Filedialog-box appears; navigate to the location of exe (Desktop), select it, and click Open.
  4. Once the file is selected, check the options Start upMutex, and Disable UAC, and then click Encrypt.
  5. The Save Filedialog-box appears; select the location where you want to store the crypted file (here, Desktop), leave the file name set to its default (CryptedFile), and click Save.
  6. Once the encryption is finished, click Close.
  7. Maximize the web browser (here, Google Chrome). In the VirusTotal analysis page, click the Upload fileicon in the top-right corner of the page.
  8. An Opendialog-box appears; navigate to the location where you saved the encrypted file exe (Desktop), select the file, and click Open.
  9. Click Confirm upload.
  10. VirusTotal uploads the file and begins to scan it with the various anti-virus programs in its database. It displays the scan result, as shown in the screenshot.
  11. Only a few anti-virus programs have detected exeas a malicious file. Minimize or close the browser window.
  12. Now, we will test the functioning of a Crypted file (exe).
  13. Go to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRAT, double-click the njRAT v0.7d.exefile and launch njRAT by choosing the default port number 5552, and then click Start.
  14. In this exercise, we have already created a crypted file (exe), built using njRAT.
  15. Use any technique to send exeto the intended target—through email or any other source (In real-time, attackers send this server to the victim).

In this lab, we copied the CryptedFile.exe file to the shared network location (CEH-Tools) to share the file.

  1. Click Windows Server 2016to switch to the Windows Server 2016
  2. Navigate to the shared network location (CEH-Tools), and then Copyand Paste the executable file (exe), in which the attacker (here, you) sent the server executable, to the Desktop of Windows Server 2016.
  3. Here, you are acting both as the attackerwho logs into the Windows 10 machine to create a malicious server and as the victim who logs into the Windows Server 2016 machine and downloads the server.
  4. Double-click exeto run this malicious executable.

If You must restart your computer to turn off User Account Control pop-up appears in the right-bottom corner of the window, then Restart the Windows Server 2016 machine and click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.

  1. As soon as the victim (here, you) double-clicks the server, the executable starts running, and the njRAT client (njRAT GUI) running on the Windows 10machine establishes a persistent connection with the victim machine.
  2. Click Windows 10to switch to the Windows 10 machine and in the njRAT window you can observe that the connection has been established with the victim machine.
  3. Unless the attacker working on the Windows 10machine disconnects the server on their own, the victim machine remains under their control.
  4. Thus, you have created an undetectable Trojan that can bypass the anti-virus and firewall programs, as well as be used to maintain a persistent connection with the victim.
  5. On completion of this lab, click Windows Server 2016to switch to the Windows Server 2016 machine, launch Task Manager, look for the exe (32 bit) process, and click End task on the Windows Server 2016 machine.
  6. This concludes the demonstration of how to hide a Trojan using SwayzCryptor to make it undetectable to various anti-virus programs.

Question 1.2.1:

What is the target machine in the above task?

Question 1.2.2:

Name the file that has been shared with the target machine in the above task.

Task 3: Create a Server using the ProRat Tool

Attackers use malware to steal personal information, financial data, and business information from target systems. ProRat is a “remote administration tool” created by the PRO Group. ProRat was written in the C programming language and is capable of working with all Windows OSes. ProRat was designed to allow users to control their own computers remotely from other computers. However, attackers have co-opted it for their own nefarious purposes. Some hackers take control of remote computer systems to conduct a Denial-of-Service (DoS) attack, which renders the target system unavailable for normal personal or business use. These targeted systems include high-profile web servers such as banks and credit card gateways.

As with other Trojan horses, ProRat uses a client and server. It opens a port on the computer that allows the client to perform numerous operations on the server (the victim machine).

Some of ProRat’s malicious actions on the victim’s machine include:

  • Logging keystrokes
  • Stealing passwords
  • Taking full control over files
  • Drive formatting
  • Opening and closing the DVD tray
  • Hiding the taskbar, desktop, and start button
  • Viewing system information

An ethical hacker or pen tester can use ProRat to audit their own network against remote access Trojans.

The versions of the created client or host, and the appearance of the website may differ from this lab. However, the actual process of creating the server and client is as shown in this lab.

  1. Click Windows 10to switch to the Windows 10
  2. Navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\ProRatand double-click the exe file.

If an Open File – Security Warning pop-up appears, click Run.

  1. The ProRatmain window appears, as shown in the screenshot.
  2. Click Create, and then click the Create ProRat Server (342 Kbayt)option to create a ProRat server.
  3. The Create Serverwindow appears. In Notifications, leave the settings to default.
  4. Click on the General Settingsbutton to configure features such as Server PortServer PasswordVictim Name, and port number. In this lab, the default settings are chosen. Note down the Server password.
  5. Uncheck the highlighted options under the Victim Namefield, as shown in the screenshot.
  6. Click on the Bind with Filebutton to bind the server with a file. In this lab, we are using a .jpg file to bind the server.
  7. Check the Bind server with a fileoption and then click the Select File
  8. An openpop-up window appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\ProRat\Images and select jpg in the browser window. Click Open to bind the file.
  9. A pop-up displays the prompt: Server will bind with MyCar.jpg; click OK.
  10. Click the Server Extensions
  11. Under Select Server Extension, ensure that the EXE (Has icon support)checkbox is ticked.
  12. Click the Server Icon Under Server Icon, select any icon, and click Create Server.
  13. A pop-up states that the server has been created; click OK.
  14. The created server will be saved at D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\ProRat. This server is named exeby default. Close ProRat’s Create Server window.
  15. In real-time, hackers may craft such servers and send them by email or other communication media to the victim’s machine.

You need to zip the file before emailing it, as you cannot attach .exe files on some mail servers.

  1. Click Windows Server 2016to switch to the Windows Server 2016 Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  2. Navigate to Z:\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\ProRatand double-click exe.

If an Open File – Security Warning pop-up appears, click Run.

  1. Click Windows 10to switch back to the Windows 10 machine, and enter the IP address of Windows Server 2016 in the Ip field; keep the default port number in the ProRat main window, and click Connect.
  2. In this lab, the IP address of Windows Server 2016is 10.10.16.
  3. Enter the passwordyou noted down when creating the server and click OK.
  4. Now, you are connectedto the victim machine.
  5. ProRat begins to monitor user activities. It records all passwords, keystrokes, and other sensitive data.
  6. To test the connection, click PC Info, and choose System Information.
  7. ProRat displays the information of the victim machine, as shown in the screenshot.
  8. Click on KeyLoggerto steal the user passwords for the online system. This will read the keystrokes performed on the victim machine.
  9. The KeyLoggerwindow appears; click Read Log to view the key logs created by the target user on the victim machine.
  10. Click Windows Server 2016to switch to the Windows Server 2016 Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter. Navigate to the Desktop and open Notepad or a browser window, and type any text.
  11. While the victim is writing a message or entering a username and password, you can capture the log entity.
  12. Now, click Windows 10to switch to the Windows 10 machine, and periodically click Read Log to check for keystrokes logged from the victim machine. Close the KeyLogger window.

ProRat Keylogger will not read special characters.

  1. Now, click the Registrybutton to view the registry editor of the Windows Server 2016
  2. The Registry Editorwindow appears, where you can choose the Registry Editor from the Root Key drop-down list. You can see and also modify the registry of the victim’s machine, as shown in the screenshot.
  3. Close the Registryrelated windows and switch back to the ProRat main window.
  4. In the same way, you can make use of the other options that allow you to explore and control the victim machine.
  5. On the Windows 10machine, click Disconnect in the ProRat window.
  6. On completion of this lab, click Windows Server 2016to switch to the Windows Server 2016 machine, launch Task Manager, look for the exe (32 bit) process, and click End task.

Question 1.3.1:

What is the default Server port used by ProRat?

Question 1.3.2:

What is the IP address of the victim machine in this task?

Task 4: Create a Trojan Server using Theef RAT Trojan

Theef is a Remote Access Trojan written in Delphi. It allows remote attackers access to the system via port 9871. Theef is a Windows-based application for both client and server. The Theef server is a virus that you install on a target computer, and the Theef client is what you then use to control the virus.

The versions of the created client or host, and the appearance of its website, may differ from that of this lab. However, the actual process of creating the server and the client is the same.

  1. Generally, an attacker might send a server executable to the victim machine and entice the victim into running it. In this lab, for demonstration purposes, we are directly executing the file on the victim machine, Windows Server 2016.
  2. Click Windows Server 2016to switch to the Windows Server 2016 Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  3. Navigate to Z:\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\Theefand double-click exe to run the Trojan on the victim machine.

If an Open File – Security Warning pop-up appears, click Run.

  1. Now, click Windows 10to switch to the Windows 10 machine (as an attacker).
  2. Navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\Theefand double-click exe to access the victim machine remotely.
  3. The Theefmain window appears, as shown in the screenshot.
  4. Enter the IP address of the target machine (here, Windows Server 2016) in the IPfield (10.10.16), and leave the Port and FTP fields set to default; click Connect.
  5. Now, from Windows 10, you have successfully established a remote connection with the Windows Server 2016
  6. To view the computer’s information, click the Computer Informationicon from the lower part of the window.
  7. In Computer Information, you can view PC DetailsOS InfoHome, and Networkby clicking their respective buttons.
  8. Here, for example, selecting PC Detailsreveals computer-related information.
  9. Click the Spyicon to perform various operations on the target machine.
  10. You can perform various operations such as capture screens, log keys, view processes, view the task manager, use the webcam, and use the microphone on the victim machine by selecting their respective options.
  11. Here, for instance, selecting Task Managerviews the tasks running on the target machine.
  12. In the Task Managerwindow, click Refresh icon to obtain the list of running processes.
  13. Select a process (task); click the Close windowicon to end the task on the target machine.
  14. Close the Task Manager

The tasks running in the task manager may vary in your lab environment.

  1. From the Spymenu, click Keylogger to record the keystrokes made on the victim machine.
  2. The Keyloggerpop-up appears; click the Start icon to read the keystrokes of the victim machine.
  3. Click Windows Server 2016to switch to the Windows Server 2016 Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  4. Open a browser window and browse some websites or open a text document and type some sensitive information.
  5. Click Windows 10to switch back to the attacker machine (Windows 10) to view the recorded keystrokes of the victim machine in the Theef Keylogger window.
  6. Close the Theef Keylogger
  7. Similarly, you can access the details of the victim machine by clicking on the various icons.
  8. Close all open windows on both the Windows 10and Windows Server 2016

Question 1.4.1:

What is the OS in which Theef Server is being executed?

Windows Server 2016

Parrot Security

Windows 10

Windows Server 2019

Question 1.4.2:

What is the OS in which Theef Client is being executed?

Windows 10

Windows Server 2019

Windows Server 2016

Ubuntu

Question 1.4.3:

What is the default port used by Theef?

PreviousNext: Lab 2: Infect the Target…

Live Chat

Module 07: Malware Threats

2 Hr 27 Min Remaining

Instructions Resources Help  100%

Lab 2: Infect the Target System using a Virus

Lab Scenario

Viruses are the scourges of modern computing. Computer viruses have the potential to wreak havoc on both business and personal computers. The lifetime of a virus depends on its ability to reproduce. Therefore, attackers design every virus code in such a manner that the virus replicates itself n number of times, where n is a number specified by the attacker. Worldwide, most businesses have been infected by a virus at some point. Like a biological virus, a computer virus is contagious and can contaminate other files; however, viruses can only infect outside machines with the assistance of computer users.

Like viruses, computer worms are standalone malicious programs that independently replicate, execute, and spread across network connections, without human intervention. Worms are a subtype of virus. Intruders design most worms to replicate and spread across a network, thus consuming available computing resources and, in turn, causing network servers, web servers, and individual computer systems to become overloaded and stop responding. However, some worms also carry a payload to damage the host system.

An ethical hacker and pen tester during an audit of a target organization must determine whether viruses and worms can damage or steal the organization’s information. They might need to construct viruses and worms and try to inject them into the target network to check their behavior, learn whether an anti-virus will detect them, and find out whether they can bypass the firewall.

Lab Objectives

  • Create a virus using the JPS Virus Maker Tool and infect the target system

Overview of Viruses and Worms

Viruses can attack a target host’s system using a variety of methods. They can attach themselves to programs and transmit themselves to other programs by making use of specific events. Viruses need such events to take place, since they cannot self-start, infect hardware, or transmit themselves using non-executable files. “Trigger” and “direct attack” events can cause a virus to activate and infect the target system when the user triggers attachments received through email, Web sites, malicious advertisements, flashcards, pop-ups, or other methods. The virus can then attack a system’s built-in programs, antivirus software, data files, and system startup settings, or perform other malicious activities.

Like a virus, a worm does not require a host to replicate, but in some cases, the worm’s host machine also infects. At first, Blackhat professionals treated worms as a mainframe problem. Later, with the introduction of the Internet, they concentrated and targeted Windows OSes using the same worms by sharing them by email, IRC, and other network functions.

Task 1: Create a Virus using the JPS Virus Maker Tool and Infect the Target System

The JPS Virus Maker tool is used to create its own customized virus. This tool has many options for building that can be used to create a virus. Some of the tool’s features are auto-start, shutdown, disable security center, lock mouse and keyboard, destroy protected storage, and terminate windows. An ethical hacker and pen-tester can use the JPS Virus Maker Tool as a proof of concept to audit perimeter security controls in an organization.

After performing this task, we will end and re-launch the lab as Windows Server 2019 machine will be infected by the virus.

  1. In the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Virus Maker\JPS Virus Maker and double-click exe.

If an Open File – Security Warning pop-up appears, click Run.

  1. The JPS (Virus Maker 4.0)window appears; tick the Auto Startup
  2. The window displays various features and options that can be chosen while creating a virus file.
  3. From the Virus Options, check the optionsthat you want to embed in a new virus file.
  4. In this lab, the options embedded in the virus file are Disable TaskManagerDisable Windows UpdateDisable Control PanelDisable DrivesHide Windows ClockHide Desktop IconsEnable Remote DesktopRemove BluetoothTurn Off Windows FirewallTurn Off Windows Defender, and Auto Startup.
  5. Ensure that the Noneradio button is selected to specify the trigger event when the virus should start attacking the system after its creation.
  6. Now, before clicking on Create Virus!, click the right arrow icon from the right-hand pane of the window to configure the virus options.
  7. Virus Optionswindow appears, as shown in the screenshot.
  8. Check the Change Windows Passwordoption, and enter a password (here, qwerty) in the text field. Check the Change Computer Name option, and type Test in the text field.
  9. You can even configure the virus to convert to a worm. To do this, check the Enable Convert to Wormcheckbox, and provide a Worm Name (here, fedevi). For the worm to self-replicate after a particular time, specify the time in seconds (here, 1 second) in the Copy After
  10. Ensure that the JPG Iconradio button is selected under the Change Icon Ensure that the None radio button is selected in the lower part of the window.
  11. After completing your selection of options, click the drop-down icon next to the Create Virus!button and select x86(32Bit); click Create Virus!
  12. Virus Created Successful!pop-up appears; click OK.
  13. The newly created virus (server) is placed automatically in the folderwhere jps.exe is located, but with the name exe. Navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Virus Maker\JPS Virus Maker and observe that the newly created virus with the name Server.exe is available at the specified location.
  14. Now, pack this virus with a binder or virus packager and send it to the victim machine through email, chat, a mapped network drive, or other method.
  15. In this task, we are using a mapped network drive to share the virus file to the victim machine. Assume that you are a victim and that you have received this file.
  16. Click Windows Server 2019to switch to the Windows Server 2019 Click Ctrl+Alt+Delete to activate the machine, by default, Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.

Here, we are logging into the machine as a victim.

  1. Navigate to Z:\CEHv11 Module 07 Malware Threats\Virus Maker\JPS Virus Makerand double-click exe file to execute the virus.
  2. Once you have executed the virus, the Desktopscreen goes blank, indicating that the virus has infected the system, as shown in the screenshot.
  3. Surprised by the system behavior, the victim (you) attempts to fix the machine by restarting it. Once the machine has rebooted, try to log in to the machine with the provided Usernameand Password. You should receive the error message “the password is incorrect. Try again.”
  4. Click Ctrl+Alt+Deleteto activate the machine, by default, Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  5. Now, login with the password that you provided at the time of virus creation (i.e., qwerty). You should log in to the machine with the new password.
  6. Now, try to open Task Manager; observe that an opening error pop-up appears, and then click OK.
  7. You will get a similar error for all the applications that are disabled by the virus.
  8. This is how attackers infect a system with viruses. Now, before going to the next task, Endthe lab profile and re-launch it to reset the machines.

Question 2.1.1:

What is the Server Name provided in this task?

PreviousNext: Lab 3: Perform Static…

Live Chat

Module 07: Malware Threats

2 Hr 13 Min Remaining

Instructions Resources Help  100%

Lab 3: Perform Static Malware Analysis

Lab Scenario

Attackers use sophisticated malware techniques as cyber weapons to steal sensitive data. Malware can inflict intellectual and financial losses on the target, be it an individual, a group of people, or an organization. The worst part is that it spreads from one system to another with ease and stealth.

Malware such as viruses, Trojans, worms, spyware, and rootkits allow an attacker to breach security defenses and subsequently launch attacks on target systems. Thus, to find and cure the existing infections and thwart future problems, it is necessary to perform malware analysis. Many tools and techniques exist to perform such tasks. Malware analysis provides an in-depth understanding of each individual sample and identifies emerging technology trends from large collections of malware samples without executing them. The samples of malware are mostly compatible with the Windows binary executable.

By performing malware analysis, detailed information regarding the malware can be extracted. This information includes items like the malicious intent of the malware, indicators of compromise, complexity level of the intruder, exploited vulnerability, extent of damage caused by the intrusion, perpetrator accountable for installing the malware, and system vulnerability the malware has exploited. An ethical hacker and pen tester must perform malware analysis to understand the workings of the malware and assess the damage that it may cause to the information system. Malware analysis is an integral part of any penetration testing process.

It is very dangerous to analyze malware on production devices connected to production networks. Therefore, one should always analyze malware samples in a testing environment on an isolated network.

Lab Objectives

  • Perform online malware scanning using VirusTotal
  • Perform a strings search using BinText
  • Identify packing and obfuscation methods using PEid
  • Find the portable executable (PE) information of a malware executable file using PE Explorer
  • Identify file dependencies using Dependency Walker
  • Perform malware disassembly using IDA and OllyDbg

Overview of Static Malware Analysis

Static Malware Analysis, also known as code analysis, involves going through the executable binary code without executing it to gain a better understanding of the malware and its purpose. The process includes the use of different tools and techniques to determine the malicious part of the program or a file. It also gathers information about malware functionality and collects the technical pointers or simple signatures it generates. Such pointers include file name, MD5 checksums or hashes, file type, and file size. Analyzing the binary code provides information about the malware’s functionality, network signatures, exploit packaging technique, dependencies involved, as well as other information.

Some of the static malware analysis techniques are:

  • File fingerprinting
  • Local and online malware scanning
  • Performing strings search
  • Identifying packing and obfuscation methods -Finding portable executable (PE) information
  • Identifying file dependencies
  • Malware disassembly

Task 1: Perform Online Malware Scanning using VirusTotal

VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, Trojans, and other kinds of malware.

VirusTotal aims to improve the anti-virus and security industry and make the Internet a safer place through the development of free tools and services. VirusTotal simply acts as an information aggregator. The aggregated data are the output of different antivirus engines, website scanners, file and URL analysis tools, and user contributions. The malware signatures of antivirus solutions present in VirusTotal are periodically updated as they are developed and distributed by anti-virus companies. The update polling frequency is 15 minutes—thus ensuring that these products are using the latest signature sets. Website scanning is done via API queries to the different companies providing the solution; hence, the most updated version of their dataset is always used.

VirusTotal helps ethical hackers and penetration testers to analyze files and URLs, enabling the identification of viruses, worms, Trojans, and other malicious content detected by anti-virus engines and website scanners.

This lab activity will demonstrate how to analyze malware using online virus analysis services.

  1. By default, Windows 10machine selected, click Ctrl+Alt+Delete.

Alternatively, you can also click Ctrl+Alt+Delete button under Windows 10 machine thumbnail in the Resources pane or Click Ctrl+Alt+Delete button under Commands (thunder icon) menu.

  1. By default, Adminuser profile is selected, click Pa$$w0rd to paste the password in the Password field and press Enter to login.

Alternatively, you can also click Pa$$w0rd under Windows 10 machine thumbnail in the Resources pane or Click Type Text | Type Password button under Commands (thunder icon) menu.

Networks screen appears, click Yes to allow your PC to be discoverable by other PCs and devices on the network.

  1. Open any web browser (here, Google Chrome).In the address bar of the browser place your mouse cursor and click https://www.virustotal.comand press Enter.
  2. The VirusTotalmain analysis site appears; click Choose file to upload a virus file.
  3. The Openwindow appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Viruses, select exe, and click Open.
  4. The selected file will be sent to the VirusTotal server for analysis.
  5. VirusTotal returns a detailed report displaying the result of each anti-virus for the selected exemalicious file under the DETECTION tab, as shown in the screenshot.
  6. Now, click the DETAILStab to view the malicious file details such as Basic Properties, History, Names, Portable Executable Info, Sections, Imports, and ExifTool File Metadata.
  7. Click the RELATIONStab to view Execution Parents, PE Resource Parents, Contained in Graphs, and Graph Summary. Scroll down to view other details.
  8. To view GraphSummary, you will need a VirusTotal account.
  9. Click the BEHAVIORtab to view the File System Actions, Process and Service Actions, Shell Commands, and Synchronization Mechanisms & Signals.
  10. Close the web browser once the analysis is complete.
  11. You can also use other local and online malware scanning tools such as Hybrid Analysis(https://www.hybrid-analysis.com), Cuckoo Sandbox (https://cuckoosandbox.org), Jotti (https://virusscan.jotti.org), or Valkyrie Sandbox (https://valkyrie.comodo.com) to perform online malware scanning.

Question 3.1.1:

Name the virus that is analyzed using VirusTotal in this task.

Task 2: Perform a Strings Search using BinText

Software programs include some strings that are commands to perform specific functions such as printing output. Strings communicate information from a program to its user. Various strings that could represent the malicious intent of a program such as reading the internal memory or cookie data, are embedded in the compiled binary code.

Searching through strings can provide information about the basic functionality of any program. During malware analysis, search for malicious strings that could determine the harmful actions that a program can perform. For instance, if the program accesses a URL, it will have that URL string stored in it. You should be attentive while looking for strings and search for the embedded and encrypted strings for a complete analysis of the suspect file.

BinText is a text extractor that can extract text from any file. It includes the ability to find plain ASCII text, Unicode text, and Resource strings, providing useful information for each item.

Here, we will use the BinText tool to extract embedded strings from executable files.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\String Searching Tools\BinText and double-click exe.
  2. The BinTextmain window appears; click Browse to provide a file to scan. Here, we need to provide a malicious file to analyze the text.
  3. Make sure that the Advanced viewoption is checked.
  4. The Open file for Scanningwindow appears, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Viruses\Klez Virus Live! and select exe, the malicious file, and click Open to extract the text from the malicious file.
  5. As soon as the file is provided for scan, click Go. BinText will start extracting the text from the designated malicious file.
  6. BinText extracts the provided malicious file’s critical information, as shown in the screenshot.
  7. The type of string is designated by a colored letter to the left of the list. ANSI strings are marked with a green “A,” Unicode strings (double byte ANSI) have a red “U,” and resource strings have a blue “R.”
  8. “File pos” is the HEX position at which the text is located in the file.
  9. “Mem pos” if the file is a Win32 PE file (such as Win95 EXEs and DLLs), then this is the HEX address at which the text is referred to in the memory at runtime, as determined by its sections table.
  10. “ID” is the decimal string resource ID or 0 if it is not a resource string.
  11. Close all windows once the analysis is complete.
  12. You can also use other string searching tools such as FLOSS(https://www.fireeye.com), Strings (https://docs.microsoft.com), Free EXE DLL Resource Extract (http://www.resourceextract.com), or FileSeek (https://www.fileseek.ca) to perform string search.

Question 3.2.1:

What is the malicious file that is analyzed using BinText?

Task 3: Identify Packaging and Obfuscation Methods using PEid

Attackers often use packing and obfuscation or a packer to compress, encrypt, or modify a malware executable file to avoid detection. Obfuscation also hides the execution of the programs. When the user executes a packed program, it also runs a small wrapper program to decompress the packed file, and then runs the unpacked file. It complicates the task of reverse engineers to determine the actual program logic and other metadata via static analysis. The best approach is to try and identify if the file includes packed elements and locate the tool or method used to pack it.

PEid is a free tool that provides details about Windows executable files. It can identify signatures associated with over 600 different packers and compilers. This tool also displays the type of packer used in packing a program.

Here, we will use the PEid tool to detect common packers, cryptors, and compilers for PE executable files.

  1. In the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\Packaging and Obfuscation Tools\PEid and double-click exe.
  2. The PEiDmain window appears. Click the Browse button to upload a malicious file for analysis.
  3. The Choose the file to openwindow appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Viruses\Klez Virus Live!, select the exe file, and click Open.
  4. As soon as you click Open, PEiD analyzes the file and provides information, as shown in the screenshot.
  5. Close all windows once the analysis is complete.
  6. You can also use other packaging/obfuscation tools such as Macro_Pack(https://github.com), UPX (https://upx.github.io), or ASPack (http://www.aspack.com) to identify packing/obfuscation methods.

Question 3.3.1:

What is the OS in which PEid is being executed?

Task 4: Find the Portable Executable (PE) Information of a Malware Executable File using PE Explorer

The Portable Executable (PE) format is the executable file format used on Windows OSes that stores the information a Windows system requires to manage the executable code. The PE stores metadata about the program, which helps in finding additional details of the file. For instance, the Windows binary is in PE format that consists of information such as time of creation and modification, import and export functions, compilation time, DLLs, and linked files, as well as strings, menus, and symbols.

PE Explorer lets you open, view, and edit a variety of different 32-bit Windows executable file types (also called PE files) ranging from common such as EXE, DLL, and ActiveX Controls to less familiar types such as SCR (Screensavers), CPL (Control Panel Applets), SYS, MSSTYLES, BPL, DPL, and more (including executable files that run on MS Windows Mobile platform).

Here, we will use the PE Explorer tool to view the PE information of a malware executable file.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\PE Extraction Tools\PE Explorer and double-click Explorer_setup.exe.
  2. If a User Account Controlpop-up appears, click Yes.
  3. Follow the wizard-driven installation steps to install PE Explorer.
  4. In the last step of the installation, make sure that the Launch PE Exploreroption is checked to launch the application automatically; uncheck the View PE Explorer User’s Guide option and click Finish.
  5. The PE Explorermain window appears. Navigate to File and click Open File from the menu to start exploring executable files. You can drag and drop the file into the PE Explorer window.
  6. An openwindow appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Viruses\Klez Virus Live!. Select the exe file and click Open.
  7. The PE Explorerevaluation pop-up appears; click Continue.
  8. PE Explorer provides you with an analysis of the file, as shown in the screenshot.
  9. The HEADERS INFOsection provides you with the ability to:
    • View and save a text report on the file headers information
    • Modify the entry point value
    • Updates the value of the checksum in the header
    • Set flag bits in the file header characteristics field
  10. Click the Data Directoriesicon from the menu bar. This will provide you with the DATA DIRECTORIES information such as the ability to view and edit the virtual address and size of the chosen directory describing provisions of parts of the code.
  11. The trailing array of Data Directories cover pointers to the data in the sections.
  12. Click Section Headersicon from the menu bar. This will provide you with the SECTION HEADERS information, allowing you to view all sections and information about their location and size.
  13. Double click on any section to view the raw content. This will open a mini hex viewer window.
  14. Close the hex viewer window after analysis.
  15. This is how to analyze a malicious file using PE Explorer. Close all open windows.
  16. You can also use other PE extraction tools such as Portable Executable Scanner(pescan) (https://tzworks.net), Resource Hacker (http://www.angusj.com), or PEView (https://www.aldeid.com) to find the Portable Executable (PE) information of a malware executable file.

Task 5: Identify File Dependencies using Dependency Walker

Any software program depends on the various inbuilt libraries of an OS that help in performing specified actions in a system. Programs need to work with internal system files to function correctly. Programs store their import and export functions in a kernel32.dll file. File dependencies contain information about the internal system files that the program needs to function properly; this includes the process of registration and location on the machine.

Find the libraries and file dependencies, as they contain information about the run-time requirements of an application. Then, check to find and analyze these files to provide information about the malware in the file. File dependencies include linked libraries, functions, and function calls. Check the dynamically linked list in the malware executable file. Finding out all library functions may allow guessing about what the malware program can do. You should know the various DLLs used to load and run a program.

Some of the standard DLLs are:

DLLs Description of contents
Kernel32.dll Core functionality such as access and manipulation of memory, files, and hardware
Advapi32.dll Provides access to advanced core Windows components such as the Service Manager and Registry
User32.dll User-interface components such as buttons, scrollbars, and components for controlling and responding to user actions
Gdi32.dll Functions for displaying and manipulating graphics
Ntdll.dll Interface to the Windows kernel
WSock32.dll and Ws2_32.dll Networking DLLs that help to connect to a network or perform network-related tasks
Wininet.dll Supports higher-level networking functions

The Dependency Walker tool lists all dependent modules of an executable file and builds hierarchical tree diagrams. It also records all functions that each module exports and calls. Further, it detects many common application problems such as missing and invalid modules, import and export mismatches, circular dependency errors, mismatched machine modules, and module initialization failures.

Here, we will use the Dependency Walker tool to identify the file dependencies of an executable file.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\File Dependency Checking Tools\Dependency Walker, and double-click exe.
  2. The Dependency Walkermain window appears; navigate to File and click Open to import the malicious file.
  3. The openwindow appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Viruses\Klez Virus Live!. Select the exe file and click Open.
  4. The Dependency Walkerpop-up appears, along with the error detected while processing the file; click OK.
  5. The EXEfile is imported to the Dependency Walker, as shown in the screenshot.
  6. Shrink the .DLLnodes to view all available DLLs for the malicious file.
  7. The available DLLs for snoopy.exe are listed, as shown in the screenshot.
  8. Click on any DLL dependency to view the details of the DLL file. In this lab, we are choosing DLL.
  9. As soon as you select the DLL, the Dependency Walker displays the DLL details in the Import Sectionand Export Section, as shown in the screenshot.
  10. Analyze all DLL dependencies of the imported malicious file. Close all open windows once the analysis is complete.
  11. You can also use other dependency checking tools such as Dependency-check(https://jeremylong.github.io), Snyk (https://snyk.io), Hakiri (https://hakiri.io), or RetireJS (https://retirejs.github.io) to identify file dependencies.

Question 3.5.1:

Which of the following files is analyzed using Dependency Walker?

tini.exe

face.exe

snoppy.exe

MSN.exe

Task 6: Perform Malware Disassembly using IDA and OllyDbg

Static analysis also includes the dismantling of a given executable into binary format to study its functionalities and features. This process helps identify the language used for programming the malware, look for APIs that reveal its function, and retrieve other information. Based on the reconstructed assembly code, you can inspect the program logic and recognize its threat potential. This process uses debugging tools such as IDA Pro and OllyDbg.

IDA As a disassembler, IDA explores binary programs, for which the source code might not be available, to create maps of their execution. The primary purpose of a disassembler is to display the instructions actually executed by the processor in a symbolic representation called “assembly language.” However, in real life, things are not always simple. Hostile code usually does not cooperate with the analyst. Viruses, worms, and Trojans are often armored and obfuscated; as such, more powerful tools are required. The debugger in IDA complements the static analysis capabilities of the disassembler. By allowing an analyst to single-step through the code being investigated, the debugger often bypasses the obfuscation. It helps obtain data that the more powerful static disassembler will be able to process in depth.

OllyDbg OllyDbg is a debugger that emphasizes binary code analysis, which is useful when source code is unavailable. It traces registers, recognizes procedures, API calls switches, tables, constants, and strings, and locates routines from object files and libraries.

There is a new debugging option, “Set permanent breakpoints on system calls.” When active, it requests OllyDbg to set breakpoints on KERNEL32.UnhandledExceptionFilter(), NTDLL.KiUserExceptionDispatcher(), NTDLL.ZwContinue(), and NTDLL.NtQueryInformationProcess().

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\Disassembling and Debugging Tools\IDA and double-click exe.
  2. If a User Account Controlwindow appears, click Yes.

If an Open File – Security Warning pop-up appears, click Run.

  1. The IDA installation wizard appears; follow the wizard-driven installation steps to install IDA.
  2. In the final step of the installation, ensure that the Launch IDAoption is checked; this will launch the application automatically once you click Finish.
  3. If the IDA Licensewindow appears, click on I Agree.
  4. The IDA: Quick startpop-up appears; click on New to select a malicious file for disassembly.
  5. The IDAmain window appears, along with the Select file to disassemble
  6. In the Select file to disassemblewindow, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Viruses\Klez Virus Live!, select exe, and click Open.
  7. The Load a new filewindow appears; by default, the Portable executable for 80386 (PE) [pe64.dll] option selected; click OK.
  8. If a Warningpop-up appears, click OK.
  9. If a Please confirmdialog-box appears, read the instructions carefully, and then click Yes.
  10. IDA completes the analysis of the imported malicious file and displays the results in the IDA View-Atab, as shown in the screenshot.
  11. In the IDA View-Asection, right-click anywhere and choose Text view from the context menu to view the text information of the malicious file uploaded to IDA for analysis.
  12. This reveals the text view of the malicious file, allowing analysis of its information.
  13. Now, minimize the IDA window, and navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\Disassembling and Debugging Tools\IDA. Copy the exefile and paste it in IDA’s installation location. In this lab, the location is C:\Program Files\IDA Freeware 7.0.

If a Destination Folder Access Denied notification appears, click Continue.

  1. Maximize the IDA window. To view the flow of the uploaded malicious file, navigate to View–> Graphs and click Flow chart.
  2. Graphwindow appears with the flow. You may zoom in to view this more clearly.
  3. Close the Graphwindow, go to View –> Graphs, and click Function calls from the menu bar.
  4. A window showing call flowappears; zoom in for a better view. Close the WinGraph32 Call flow window after completing the analysis.
  5. Click the HexView-1tab to view the hex value of the malicious file.
  6. Click the Structurestab to view the structure of the file, as shown in the screenshot.
  7. IDA displays all Structures(to expand the structures, click on Ctrl and +).
  8. Click the Enumstab to view the Windows Enum results, as shown in the screenshot
  9. Close all open windows.
  10. Navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Static Malware Analysis Tools\Disassembling and Debugging Tools\OllyDbgand double-click EXE.

If an Open File – Security Warning pop-up appears, click Run.

  1. If a UDD Directory Absentdialog box appears, click OK.
  2. If an OllyDbg warning message appears, for administrative rights, click OK.
  3. The OllyDbgmain window appears, as shown in the screenshot.

When you launch OllyDbg for the first time, several sub-windows might appear in the main window of OllyDbg; close them all.

  1. Choose Filefrom the menu bar, and then choose Open.
  2. The Open 32-bit executablewindow appears; navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Viruses, select exe, and click Open.
  3. The output appears in a window named CPU – main thread, module ntdll, maximize the window.
  4. Choose Viewin the menu bar, and then choose Log.
  5. A window named Log dataappears in OllyDbg, displaying the log details, as shown in the screenshot.
  6. The Log dataalso displays the program entry point and its calls to known functions. Close the Log data window after completing the analysis.
  7. Choose Viewin the menu bar, and then choose Executable modules.
  8. A window named Executable modulesappears in OllyDbg, displaying all executable modules, as shown in the screenshot.
  9. Double-click any module to view the complete information of the selected module.
  10. In this exercise, we are choosing the 6F020000
  11. This will redirect you to the CPU – main threadwindow, as shown in the screenshot.
  12. Choose Viewin the menu bar, and then choose Memory.
  13. A window named Memory mapappears in OllyDbg, displaying all memory mappings, as shown in the screenshot. Close the Memory map
  14. Choose Viewin the menu bar, and then choose Threads.
  15. A window named Threadsappears in OllyDbg, displaying all threads, as shown in the screenshot.
  16. This way, you can scan files and analyze the output using OllyDbg.
  17. Close all open windows.
  18. You can also use other disassembling and debugging tools such as Ghirda(https://ghidra-sre.org), Radare2 (https://rada.re), WinDbg (http://www.windbg.org), and ProcDump (https://docs.microsoft.com) to perform malware disassembly.

Question 3.6.1:

What is the name of the malware that is analyzed using IDA in this task?

PreviousNext: Lab 4: Perform Dynamic…

Live Chat

Module 07: Malware Threats

2 Hr 2 Min Remaining

Instructions Resources Help  100%

Lab 4: Perform Dynamic Malware Analysis

Lab Scenario

Dynamic Malware Analysis, also known as behavioral analysis, involves executing malware code to learn how it interacts with the host system and its impact after infecting the system.

Dynamic analysis involves the execution of malware to examine its conduct and operations and identify technical signatures that confirm the malicious intent. It reveals information such as domain names, file path locations, created registry keys, IP addresses, additional files, installation files, and DLL and linked files located on the system or network.

This type of analysis requires a safe environment such as machines and sandboxes to deter the spreading of malware. The environment design should include tools that can capture every movement of the malware in detail and give feedback. Typically, systems act as a base for conducting such experiments.

An ethical hacker and pen tester must perform dynamic malware analysis to find out about the applications and processes running on a computer and remove unwanted or malicious programs that can breach privacy or affect the system’s health.

Lab Objectives

  • Perform port monitoring using TCPView and CurrPorts
  • Perform process monitoring using Process Monitor
  • Perform registry monitoring using Regshot and jv16 PowerTools
  • Perform Windows services monitoring using Windows Service Manager (SrvMan)
  • Perform startup program monitoring using Autoruns for Windows and WinPatrol
  • Perform installation monitoring using Mirekusoft Install Monitor
  • Perform files and folder monitoring using PA File Sight
  • Perform device driver monitoring using DriverView and Driver Reviver
  • Perform DNS monitoring using DNSQuerySniffer

Overview of Dynamic Malware Analysis

Dynamic analysis is performed to gather valuable information about malware activity, including the files and folders created, ports and URLs accessed, called functions and libraries, applications and tools accessed, information transferred, settings modified processes, and services the malware started, and other items. You should design and set up the environment for performing the dynamic analysis in such a way that the malware cannot propagate to the production network, and ensure that the testing system can recover to an earlier set timeframe (prior to launching the malware) in case anything goes wrong during the test.

To achieve this, you need to perform the following:

  • System Baselining Baselining refers to the process of capturing a system’s state (taking snapshot of the system) at the time the malware analysis begins. This can be used to compare the system’s state after executing the malware file, which will help understand the changes that the malware has made across the system. A system baseline involves recording details of the file system, registry, open ports, network activity, and other items.
  • Host Integrity Monitoring Host integrity monitoring is the process of studying the changes that have taken place across a system or a machine after a series of actions or incidents. It involves using the same tools to take a snapshot of the system before and after the incident or actions and analyzing the changes to evaluate the malware’s impact on the system and its properties. In malware analysis, host integrity monitoring helps to understand the runtime behavior of a malware file as well as its activities, propagation techniques, URLs accessed, downloads initiated, and other characteristics.

Host integrity monitoring includes:

    • Port monitoring
    • Process monitoring
    • Registry monitoring
    • Windows services monitoring
    • Startup program monitoring
    • Event logs monitoring and analysis
    • Installation monitoring
    • Files and folder monitoring
    • Device driver monitoring
    • Network traffic monitoring and analysis
    • DNS monitoring and resolution
    • API calls monitoring

Task 1: Perform Port Monitoring using TCPView and CurrPorts

We know that the Internet uses a software protocol named TCP/IP to format and transfer data. Malware programs corrupt the system and open system input and output ports to establish connections with remote systems, networks, or servers to accomplish various malicious tasks. These open ports can also act as backdoors or communication channels for other types of harmful malware and programs. They open unused ports on the victim’s machine to connect back to the malware handlers.

You can identify the malware trying to access a particular port by installing port monitoring tools such as TCPView and CurrPorts.

TCPView TCPView is a Windows program that shows the detailed listings of all the TCP and UDP endpoints on the system, including the local and remote addresses, and the state of the TCP connections. It provides a subset of the Netstat program that ships with Windows. The TCPView download includes Tcpvcon, a command-line version with the same functionality. When TCPView runs, it enumerates all active TCP and UDP endpoints, resolving all IP addresses to their domain name versions.

CurrPorts CurrPorts is a piece of network monitoring software that displays a list of all the currently open TCP/IP and UDP ports on a local computer. For each port in the list, information about the process that opened the port is also displayed, including the process name, full path of the process, version information of the process (product name, file description, etc.), the time that the process was created, and the user that created it.

In addition, CurrPorts allows you to close unwanted TCP connections, kill the process that opened the ports, and save the TCP/UDP port information to an HTML file, XML file, or to tab-delimited text file.

CurrPorts also automatically marks suspicious TCP/UDP ports owned by unidentified applications (Applications without version information and icons) in pink.

This lab activity demonstrates how to analyze malicious processes running on a machine using TCPView and CurrPorts. Here, you will first create a server using njRAT, and then execute this server from the second machine. Later, you will run the TCPView and CurrPorts applications on the second machine and find that the process associated with the server is running on it.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRAT and double-click njRAT v0.7d.exe to launch njRAT.
  2. Create a server and save it to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRAT.
  3. While building the server, assign the server name exefor demonstration purposes.
  4. Click Windows Server 2016to switch to the Windows Server 2016 Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  5. Navigate to Z:\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRATand double-click exe.
  6. Observe that a connection has been established by the njRAT client. Click Windows 10to switch to the Windows 10 machine to observe the established connection.
  7. Now, let us analyze this process on Windows Server 2016using TCPView Click Windows Server 2016 to switch back to the Windows Server 2016 machine.
  8. Navigate to Z:\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Port Monitoring Tools\TCPViewand double-click exe to launch the application.

If a User Account Control pop-up appears, click Yes.

  1. If a TCPView License Agreementwindow appears, click the Agree button to agree to the terms and conditions.
  2. The TCPViewmain window appears, displaying the details such as Process, ProcessId, Protocol, Local Address, Local Port, Remote Address, Remote Port, and State, as shown in the screenshot.
  3. TCPView performs Port monitoring. Click the Local Porttab to view the ports in serial order.
  4. Observe the protocols running on different ports under the Protocol
  5. As you have executed a malicious application, now search for the exeprocess in the TCPView.
  6. You can observe that the exemalicious program is running on the Windows Server 2016 machine. You can see details such as Remote Address and Remote Port.
  7. To see the process properties, navigate to Process, and then click ProcessProperties.
  8. The properties for the selected process window appears (here, exe); click End Processto kill the process. This will end the running process.
  9. Normally, if a TCPViewdialog box appears, click Yes to terminate the process. However, for this lab, do not Kill the process in this step as we are going to use this running process for the next task; click No.
  10. This way, you can view all processes running on the machine and stop unwanted or malicious processes that may affect your system. If you are unable to stop a process, you can view the port on which it is running and add a firewall rule to block the port.
  11. Close the TCPView
  12. Now, let us analyze this process on Windows Server 2016using CurrPorts.
  13. Navigate to Z:\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Port Monitoring Tools\CurrPortsand double-click exe.
  14. The CurrPortswindow appears, displaying a list of currently open TCP/IP and UDP ports on the machine. Here, you can observe the exe process running on the machine, as the shown in the screenshot.
  15. It is evident from the above screenshot that the process is connected to the machine on port 5552.
  16. You can view the properties of the process by right-clicking on the process and clicking Propertiesfrom the Context
  17. The Propertieswindow appears, displaying information related to the process such as the name of the process, its process ID, Remote Address, Process Path, Remote Host Name, and other details.
  18. Once you are done examining the properties associated with the process, click OK.
  19. Because exeis a malicious process, you may end the process by right-clicking on it and selecting Kill Processes Of Selected Ports from the context menu.
  20. Alternatively, you may select Close Selected TCP Connections, so that the port closes, and the attacker can never regain connection through the port unless you open it.
  21. Normally, when the CurrPortsdialog-box appears, you would click Yes to close the connection. However, do not Kill the process at this step, as this running process will be used for the next task; click No.
  22. This way, you can analyze the ports open on a machine and the processes running on it.
  23. If a process is found to be suspicious, you may either kill the process or close the port.
  24. Close all open windows.
  25. You can also use other port monitoring tools such as Port Monitor(https://www.port-monitor.com), CurrPorts (https://www.nirsoft.net), TCP Port Monitoring (https://www.dotcom-monitor.com), or PortExpert (http://www.kcsoftwares.com) to perform port monitoring.

Question 4.1.1:

Which of the following machine is used to run njRAT and create the Trojan.exe file?

Window Server 2016

Windows 10

Windows Server 2019

Ubuntu

Question 4.1.2:

What is the remote IP address of the machine where the trojan is generated?

Task 2: Perform Process Monitoring using Process Monitor

Process monitoring will help in understanding the processes that malware initiates and takes over after execution. You should also observe the child processes, associated handles, loaded libraries, functions, and execution flow of boot time processes to define the entire nature of a file or program, gather information about processes running before the execution of the malware, and compare them with the processes running after execution. This method will reduce the time taken to analyze the processes and help in easy identification of all processes that malware starts.

Process Monitor is a monitoring tool for Windows that shows the real-time file system, Registry, and process and thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon. It adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, and simultaneous logging to a file. Unique features of Process Monitor make it a core utility in system troubleshooting and vital to the malware hunting toolkit.

Here, we will use the Process Monitor tool to detect suspicious processes.

  1. On the Windows Server 2016machine, navigate to Z:\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Process Monitoring Tools\ProcessMonitor and double-click exe to launch the Process Monitor tool.
  2. The Process Monitor License Agreementwindow appears; click Agree.
  3. The Process Monitormain window appears, as shown in the screenshot, with the processes running on the machine.
  4. Look for the exeprocess that was executed in the previous task. If you killed the process at the end of the task, then navigate to Z:\CEHv11 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\njRAT and double-click Trojan.exe to re-execute the malicious program.
  5. Observe that the exeprocess is running on the machine. Process Monitor shows the running process details such as the PID, Operation, Path, Result, and Details.
  6. To view the properties of a running process, select the process (here, exe), navigate to Event, and click Propertiesfrom the menu.
  7. The Event Propertieswindow appears with the details of the chosen process.
  8. In the Eventtab, you can see the complete details of the running process such as Date, Thread, Class, Operation, Result, Path, and Duration.
  9. Once the analysis is complete, click the Process
  10. The Processtab shows the complete details of the process running, as shown in the screenshot.
  11. Click the Stacktab to view the supported DLLs of the selected process. Once the analysis is done, click Close.
  12. This way, you can analyze the processes running on a machine.
  13. If a process is found to be suspicious, you may either kill the process or close the port.
  14. Close all windows on the Windows 10and Windows Server 2016
  15. You can also use other process monitoring tools such as Process Explorer(https://docs.microsoft.com), OpManager (https://www.manageengine.com), Monit (https://mmonit.com), or ESET SysInspector (https://www.eset.com) to perform process monitoring.

Question 4.2.1:

Name the OS in which the Process Monitor is being installed.

Task 3: Perform Registry Monitoring using Regshot and jv16 PowerTools

The Windows registry stores OS and program configuration details such as settings and options. If the malware is a program, the registry stores its functionality. When an attacker installs a type of malware on the victim’s machine, it generates a registry entry. One must have a fair knowledge of the Windows registry, its contents, and inner workings to analyze the presence of malware. Scanning for suspicious registries will help to detect malware. While most computer users generally do not do this, monitoring the registry entries is a great way to track any modifications made to your system.

Registry monitoring tools such as Regshot and jv16 PowerTools provide a simple way to perform the interesting task of tracking registry modifications, which proves to be useful in troubleshooting and monitoring background changes.

Regshot Regshot is a registry compare utility that helps to compare changes in registry entries after installing or uninstalling a program or manually modifying the registry. The purpose of this utility is to compare your registry at two separate points by taking a snapshot of the registry before and after any program or settings are added, removed, or otherwise modified.

jv16 PowerTools jv16 PowerTools is a PC system utility software that works by cleaning out unneeded files and data, cleaning the Windows registry, automatically fixing system errors, and applying optimization to your system. It allows the user to scan and monitor the Registry.

Further, jv16 helps in detecting registry entries created by malware. The “Clean and Speedup My Computer” feature of the Registry Cleaner in jv16 PowerTools is a solution for fixing registry errors and system errors, cleaning registry leftovers, as well as managing unneeded files such as old log files and temporary files.

Here, we will use the registry monitoring tools Regshot and jv16 PowerTools to scan the registry values for any suspicious entries that may indicate a malware infection.

  1. Click Windows 10to switch to the Windows 10 machine and navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Registry Monitoring Tools\regshot. Right-click Regshot-x86-Unicode.exe and choose Run as administrator from the context menu, as shown in the screenshot.
  2. If a User Account Controlwindow appears, click Yes.
  3. The Regshotapplication window opens, select the HTML document radio button, and in the Output path menu, click the ellipes button.
  4. The Browse For Folderwindow appears; choose Desktop, and then click OK, as shown in the screenshot.
  5. In Regshot’s main window, click the 1st shotbutton, as shown in the screenshot.
  6. A context menu appears; click Shot and Save….
  7. The Save Aswindow appears; enter the file name (here Shot 1) and set the location to Desktop. Then, click Save, as shown in the screenshot.
  8. Now to demonstrate a change in the registry, install an application (here, SoftPerfect Network Scanner).
  9. Navigate to D:\CEH-Tools\CEHv11 Module 04 Enumeration\SNMP Enumeration Tools\SoftPerfect Network Scannerand double-click exe.
  10. If a User Account Controlwindow appears, click Yes.
  11. Follow the wizard-driven installation steps to install the SoftPerfect Network Scanner.
  12. Once the installation is complete, uncheck the Launch SoftPerfect Network Scanneroption and click Finish.

You can install any application to view the changes in the registry. For demonstration purposes, we have installed the SoftPerfect Network Scanner.

  1. Switch to the Regshotapplication window; leave all settings to default, and click 2nd shot.
  2. A context menu appears; click Shot and Save…, as shown in the screenshot.
  3. The Save Aswindow appears; enter the file name (here Shot 2) and set the location to Desktop. Then, click Save, as shown in the screenshot.
  4. Now, return to the Regshotapplication window and click Compare, as shown in the screenshot.
  5. The comparison of both shots opens in a default browser window (here, Google Chrome), close the browser.
  6. Navigate to the Desktopright-click ~res-x86.htm, navigate to Open with –> Microsoft Edge.
  7. Observe the registry entries that have been modified by comparing the 1st and the 2nd shots, as shown in the screenshot.
  8. By examining modified registry entries in the result, you can find any unwanted registry entries on the machine and stop or delete them manually.
  9. Close all open windows on the Windows 10
  10. Now, we will perform an intensive scan for unwanted resources using jv16 PowerTools.
  11. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Registry Monitoring Tools\jv16 PowerTools and double-click exe.
  12. If the User Account Controlwindow appears, click Yes.
  13. Follow the wizard-driven installation steps to install jv16 Power Tools.
  14. The jv16 PowerTools Quick Tutorialwindow appears; click Next.

If the jv16 PowerTools Quick Tutorial window does not appear, then double-click the jv16 PowerTools short-cut icon on Desktop to launch the application.

  1. In the Please select your languagewizard, choose a language (here, English) and click Next.
  2. The How long would you like your trial to be?wizard appears; leave the fields blank and click Next.
  3. In the next How long would you like your trial to be?wizard screen, leave the fields blank and click Next.
  4. The jv16 PowerToolspop-up appears; click No.
  5. The A few tips to get you startedwizard appears; click Next.
  6. The Simple or full user interfacewizard appears; choose the Show me all the features and options available radio button, and then click Next.
  7. Click Nextin the Global Ignore List
  8. In the Default Settingswizard, leave all settings set to default, and then click Next.
  9. The Performing Initial Setupwindow appears. Make sure that the Restart computer after done option is checked. Once the setup is done, the machine will automatically restart.
  10. Once the machine has restarted, click Ctrl+Alt+Deleteto activate the machine. By default, Admin user account is selected, click Pa$$w0rd to enter the password and press Enter to log in.
  11. Observe that the jv16 PowerTools application launches automatically, along with a jv16 PowerToolspop-up; click No.
  12. The jv16 PowerToolsmain window appears, as shown in the screenshot. By default, the Home option is selected, which displays the System Health, Privacy, Registry Integrity, and System Startup Times Summaries.
  13. Click the Main Toolssection from the left pane to view the available tools in jv16 PowerTools. The Main Tools section lists out all available tool features, as shown in the screenshot.
  14. Click the Clean and SpeedUp My Computer
  15. The Clean and SpeedUp My Computerwizard appears. Click the Settings and click Start.
  16. The tool starts analyzing the machine. The process takes a few minutes.
  17. Once the scanning is complete, jv16 PowerTools displays the Registry ErrorsTemp Files, and other results.
  18. To view the registry errors, expand the Registry Errorsnode, and then expand the Invalid ActiveX/DDE/COM/DCOM/OLE item
  19. In the same way, expand the other items in the list to view all temporary files, log files, and other data.
  20. Select all items in the application window, and then click Delete.

The registry errors might differ in your lab.

  1. The jv16 PowerToolspop-up appears. If you want to create a backup, click Yes. In this lab, we have selected the No option, which deletes all files.
  2. This deletes all unwanted or harmful registries, logs, temporary files, and other identified files, ensuring the safety of your computer.
  3. If a jv16 Power Toolspop-up appears, asking you to restart the computer, click No.
  4. If a Clean and Fix My Computerdialogue-box appears, close it.
  5. jv16 PowerTools redirects you to the Main Toolssection; click Control which programs start automatically.
  6. Select the software of your choice in the Startup Manager and assign the appropriate action for the software you check.
  7. Thus, you could find any Trojans or malicious files running at system startup and choose the appropriate actions against them. Click Closein the Startup Manager wizard, which will redirect you to the Main Tools section of jv16 PowerTools.
  8. Select Registry Toolsto view Registry-related functions.
  9. This section helps you to find, manage, monitor, compress, clean, or replace registry files.
  10. Click File Toolsto view file-related functions.
  11. This section helps you to find, recover, clean, organize, or merge files or directories.
  12. Select Privacy Toolsto view privacy-related functions.
  13. This section helps you to check for vulnerable software, spyware, clear your history, and perform other tasks.
  14. The Disk Wiperoption wipes the disk—this is not recommended.
  15. Select Backupsto view the system-related backups.
  16. The Jv16 PowerTools – Backup Toolwindow appears, displaying the registryfile, and other backups.
  17. You can choose whether to delete or restore backups in this window.
  18. Click Closeon the Jv16 PowerTools – Backup Tool window; this will redirect you to the Main Tools section of jv16 PowerTools.

If a restart prompt appears, then restart the machine.

  1. Examining the result of the jv16 PowerTools scan reveals unwanted registry entries and other suspicious activities on the machine and allows the user to stop or delete them.
  2. Close the jv16 PowerToolsmain window.
  3. You can also use other registry monitoring tools such as Reg Organizer(https://www.chemtable.com), Registry Viewer (https://accessdata.com), RegScanner (https://www.nirsoft.net), or Registrar Registry Manager (https://www.resplendence.com) to perform registry monitoring.

Question 4.3.1:

In which of the following machines is jv16 PowerTools being executed?

Windows Server 2016

Parrot Security

Windows 10

Windows Server 2019

Task 4: Perform Windows Services Monitoring using Windows Service Manager (SrvMan)

Attackers design malware and other malicious code in such a way that they install and run on a computer device in the form of a service. As most services run in the background to support processes and applications, malicious services are invisible, even when they are performing harmful activities on the system, and can even function without intervention or input. Malware spawns Windows services that allow attackers to control the victim machine and pass malicious instructions remotely. Malware may also employ rootkit techniques to manipulate the following registry keys to hide their processes and services.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services These malicious services run as the SYSTEM account or another privileged account, which provides more access compared to regular user accounts, making them more dangerous than common malware and executable code. Attackers also try to conceal their actions by naming the malicious services with the names similar to genuine Windows services to avoid detection.

You can trace malicious services initiated by the suspect file during dynamic analysis by using Windows service monitoring tools such as Windows Service Manager (SrvMan), which can detect changes in services and scan for suspicious Windows services.

SrvMan has both GUI and Command-line modes. It can also be used to run arbitrary Win32 applications as services (when such a service is stopped, the main application window automatically closes).

Here, we will use the SrvMan tool to check for suspicious windows services.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Windows Services Monitoring Tools\Windows Service Manager (SrvMan)\srvman-1.0\x64 and double-click exe.

You can choose any of the executable files for the Windows Service Manager according to your computer and OS design.

  1. If a User Account Controlwindow appears, click Yes.
  2. The Service Managermain window appears, listing all services available or running on the machine, as shown in the screenshot.
  3. The Service Manager shows the Internal nameStateTypeDisplay nameStart type, and Executabledata of the services.
  4. Here, you can choose any unwanted service that is running on your computer, and Stopor Delete that service by choosing the appropriate action.
  5. You can view the properties of the selected service by clicking on Properties.
  6. To Start a stopped service, click the Start service To stop a running service, click Stop service.
  7. To restart any running service, click the Restart service
  8. To add a new service to your machine, click the Add service
  9. To delete any running or stopped service, click the Delete service
  10. Thus, you can monitor the unwanted services running on the machine using the Windows Service Manager.
  11. Close the Service Manager
  12. You can also use other Windows service monitoring tools such as Advanced Windows Service Manager(https://securityxploded.com), Process Hacker (https://processhacker.sourceforge.io), Netwrix Service Monitor (https://www.netwrix.com), or AnVir Task Manager (https://www.anvir.com) to perform Windows services monitoring.

Question 4.4.1:

Name the machine on which SrvMan application is installed in this task.

Task 5: Perform Startup Program Monitoring using Autoruns for Windows and WinPatrol

Startup programs are applications or processes that start when your system boots up. Attackers make many malicious programs such as Trojans and worms in such a way that they are executed during startup, and the user is unaware of the malicious program running in the background.

An ethical hacker or penetration tester must identify the applications or processes that start when a system boots up and remove any unwanted or malicious programs that can breach privacy or affect a system’s health. Therefore, scanning for suspicious startup programs manually or using startup program monitoring tools like Autoruns for Windows and WinPatrol is essential for detecting malware.

Autoruns for Windows This utility can auto-start the location of any startup monitor, display which programs are configured to run during system bootup or login, and show the entries in the order Windows processes them. As soon as this program is included in the startup folder, Run, RunOnce, and other Registry keys, users can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, and auto-start services. Autoruns’ Hide Signed Microsoft Entries option helps the user zoom in on third-party auto-starting images that add to the users’ system, and it has support for looking at the auto-starting images configured for other accounts configured on the system.

WinPatrol WinPatrol provides the user with 14 different tabs to help in monitoring the system and its files. This security utility gives the user a chance to look for programs that are running in the background of a system so that the user can take a closer look and control the execution of legitimate and malicious programs.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Windows Startup Programs Monitoring Tools\Autoruns for Windows and double-click exe.
  2. The AutoRuns License Agreementwindow appears; click Agree.
  3. The Autorunsmain window appears. It displays all processesdll’s, and services, as shown in the screenshot.

The application lists displayed under all the tabs may vary in your lab environment.

  1. Click the Logontab to view the applications that run automatically during login.
  2. Click the Explorertab to view the explorer applications that run automatically at system startup.
  3. Clicking the Servicestab displays all services that run automatically at system startup.
  4. Click the Driverstab to view all application drivers that run automatically at system startup.
  5. Click any driver to display its size, version, and the time at which it was automatically run at system startup (for the first time).

The list displayed under this tab may vary in your lab environment.

  1. Click the KnownDLLstab to view all known DLLs that start automatically at system startup.
  2. By examining all these tabs, you can find any unwanted processes or applications running on the machine when the system boots up and stop or delete them manually.
  3. Close the Autorunsmain window.
  4. Now, we will find out which applications or processes start when the system boots up using the WinPatrol tool.
  5. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Windows Startup Programs Monitoring Tools\WinPatrol. Double-click exe to launch the setup.
  6. If a User Account Controlwindow appears, click Yes.
  7. Follow the wizard-driven installation steps to install WinPatrol.
  8. In the Installation completedwizard, make sure that the Start the application options is checked, and then click Finish. This will automatically launch the application.
  9. The WinPartol application window appears with the PLUStab open by default. Click the Startup Programs
  10. Select any program that affects your system bootup (here, OneDrive) and click Disable, as shown in the screenshot.

The screenshot may differ from the image on the screen in your lab environment

  1. A popup appears, as shown in the screenshot. Click Yesto proceed.
  2. The OneDrive program will be deleted from the Startup Programs list. This is how to manage the Startup Programs for a Windows machine.
  3. Now, switch to the IE Helpers It shows all toolbars and links loaded by IE or other windows component. Select duplicate or non-required programs (here Java(tm) Plug-In SSV Helper), and then click Remove.

If a popup appears, as shown in the screenshot. Click Yes to proceed.

  1. Switch to the Servicestab to display the installed services on your system. Select any service and click Info…, as shown in the screenshot.
  2. A window showing the service information appears. To disable a service, select Disabledfrom the drop-down list and click Apply, as shown in the screenshot. Click Close to exit the window.
  3. Switch to the File Typestab to view the programs associated with a file. Select a program and click Info… to view the available information.
  4. The Windows Batch Filewindow appears, as shown in the screenshot. Click Expand Info to view the full info about the program.
  5. The expanded view shows all information related to the program and its associated file, as demonstrated in the screenshot. Analyze the info and close the window.
  6. Now, switch to the Active Taskstab to view the current tasks running on your computer. Select any task and click Kill Task to end the task, as shown in the screenshot.
  7. By examining all these tabs, you can find any unwanted process or application running on the machine when the system boots up and manually stop or delete them.
  8. Close all open windows on the Windows 10
  9. You can also use other Windows startup programs monitoring tools such as Autorun Organizer(https://www.chemtable.com), Quick Startup (https://www.glarysoft.com), StartEd Pro (http://www.outertech.com), or Chameleon Startup Manager (http://www.chameleon-managers.com) to perform startup programs monitoring.

Question 4.5.1:

Name the service that is being disabled using WinPatrol.

Task 6: Perform Installation Monitoring using Mirekusoft Install Monitor

When the system or users install or uninstall any software application, there is a chance that it will leave traces of the application data on the system. Installation monitoring help to detect hidden and background installations that malware performs.

Mirekusoft Install Monitor automatically monitors what gets placed on your system and allows you to uninstall it completely. Install Monitor works by monitoring what resources such as file and registry, are created when a program is installed. It provides detailed information about the software installed, including how much disk space, CPU, and memory your programs are using. It also provides information about how often you use different programs. A program tree is a useful tool that can show you which programs were installed together.

Here, we will use the Mirekusoft Install Monitor tool to detect hidden and background installations.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Installation Monitoring Tools\Mirekusoft Install Monitor and double-click exe.

If Update Available wizard appears, click Update button.

If a User Account Control window appears, click Yes.

  1. Follow the installation steps to install Mirekusoft Install Monitor.
  2. The Setup Successfulwizard appears; click Launch.
  3. If a User Account Controlwindow appears, click Yes.
  4. The Mirekusoft Install Monitormain window appears, along with a Welcome pop-up, click OK. Click Skip scan in the Home
  5. Click the Programstab to view the programs installed on your machine. You can choose any unwanted or unused application and click Uninstall to remove it from your machine. In this task, we are choosing the WinPatrol

The WinPatrol pop-up appears; click Reject Change.

  1. While uninstalling the application, a selected program pop-up appears, click Yesin all the WinPatrol pop-ups.
  2. The selected application is uninstalled from your computerpop-up appears; click OK.
  3. If a Cleanup for Selected Programwindow appears (here, WinPatrol), click OK.
  4. The Confirm Cleanuppop-up appears; click Cleanup. This will delete all the supported files for the related application that you have uninstalled from your computer.
  5. The selected application is uninstalled from your computer. Click the Performancetab to view and terminate currently running programs.
  6. Here, you can select any program from the list and click End Programto terminate the program.
  7. Click the Startuptab to view the programs that run automatically on Windows Startup.
  8. In this lab, Mirekusoft Install Monitor has not detected startup programs. If the program does detect them, choose the application that you want to disable on startup, and click Disable.
  9. You can restart the machine to detect the startup programs.
  10. This is how to monitor a Windows machine using Mirekusoft Install Monitor. Close all applications.
  11. You can also use other installation monitoring tools such as SysAnalyzer(https://www.aldeid.com), Advanced Uninstaller PRO (https://www.advanceduninstaller.com), REVO UNINSTALLER PRO (https://www.revouninstaller.com), or Comodo Programs Manager (https://www.comodo.com) to perform installation monitoring.

Question 4.6.1:

What program is being uninstalled using Mirekusoft Install Monitor?

Task 7: Perform Files and Folder Monitoring using PA File Sight

Malware can modify system files and folders to save information in them. You should be able to find the files and folders that malware creates and analyze them to collect any relevant stored information. These files and folders may also contain hidden program code or malicious strings that the malware plans to execute on a specific schedule.

An ethical hacker or penetration tester must scan the system for suspicious files and folders using file and folder monitoring tools such as PA File Sight to detect any malware installed and any system file modifications. PA File Sight is a protection and auditing tool. It detects ransomware attacks coming from a network and stops them.

Features:

  • Compromised computers are blocked from reaching files on other protected servers on the network
  • Detects users copying files and optionally blocks access
  • Real-time alerts allow the appropriate staff to investigate immediately
  • Audits who is deleting, moving, and reading files
  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Files and Folder Monitoring Tools\PA File Sight and double-click exe.

If a User Account Control window appears, click Yes.

  1. The Select Setup Languagepop-up appears; choose your preferred language, and then click OK.
  2. Follow the default installation steps to install PA File Sight.
  3. Completing the PA File Sight Ultra Setup Wizardappears; make sure that both the Start the PA File Sight Ultra monitoring service and the Launch the PA File Sight Ultra Console options are checked, and click Finish.
  4. This will run the PA File Sight service and automatically launch the application.
  5. The PA File Sight Consolewindow appears. By default, the Local host radio button is selected; click OK.
  6. The PA File Sight Ultra Consolemain window appears.

If a Start Wizard window appears, close it.

  1. Click Windows Server 2016to switch to the Windows Server 2016 machine Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.
  2. Navigate to Z:\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Files and Folder Monitoring Tools\PA File Sightand double-click exe.
  3. The Select Setup Languagepop-up appears; choose your preferred language and click OK.
  4. Click the Nextbutton until you see the Select Components
  5. In the Select Componentswizard, uncheck the Central Monitoring Service and Console User Interface (configure all Services) options, and check the Satellite Monitoring Service (reports to Central Monitoring Service) option; then, click Next.
  6. Follow the wizard-driven installation steps to install the application.
  7. In the final step of the installation, make sure that the Start the PA File Sight Ultra Satellite Monitoring Serviceand Configure the PA File Sight Ultra Satellite service options are checked; then, click Finish.
  8. The Configure Satellite Monitoring Servicewindow appears; type the Windows 10 IP address into the Central monitoring service address field along with port 8000. Leave the other settings to default and click Apply Settings.

In this task, the IP address of the Windows 10 machine is 10.10.10.10. the IP address may vary in your lab environment.

  1. Click Stop Satellite Serviceto stop the satellite service.
  2. Once the service is stopped, click Start Satellite Service.
  3. Once the service has started, click Exitto close the application.
  4. Create a folder named File Monitoringon Desktop and open it. Create a new text document in the folder, name it txt, type some text content in the file, and save it. Close the notepad window.
  5. Click Windows 10to switch back to the Windows 10 machine, and observe that PA File Sight starts monitoring the Windows Server 2016
  6. Expand the SERVER2016node, select Inventory Collector in the left-hand pane, and click the Apply button from the right-hand pane.
  7. Now, right-click on Inventory Collectorand click Run Now! from the context menu.
  8. Select SERVER2016in the left pane and scroll down, and you can see the complete system information for the Windows Server 2016 machine on the dashboard.
  9. Right-click on SERVER2016and click the Add New Monitor option from the context menu.
  10. The Add New Monitorwindow appears, select the File Sight Monitor icon, and then click OK.
  11. The File Sight Configurationwindow appears; click the Browse button to provide a path for directory monitoring for the SERVER2016 machine (here, C:\users\Administrator\Desktop\File Monitoring) and tick the Fire actions for each event separately
  12. Choose Audit file activityfrom the Monitor Purpose (for configuration help) drop-down list, and then click Actions.
  13. The Monitor Actionswindow appears; click New under Global Action List.
  14. The Add New Actionwindow appears. Select the Action List icon and click OK.
  15. The Action Listwindow appears. Type a description in the Description field and click Add to choose actions.
  16. The Choose Action to Addwindow appears; choose any action from the list and click OK.
  17. Click OKin the Action List
  18. The Monitor Actionswindow appears; choose the newly created action (here, Monitoring File); and then click the << icon to add the action.
  19. Once the action is added to the Monitor Actionswindow, click OK.
  20. In the File Sight Configurationwindow, click the File Activities tab and check the Existing file is written to and Ignore file appends (this is useful for monitoring log file integrity) Leave the other settings to default and click OK.
  21. Under the SERVER2016node, File Sight Directory Monitoring will be added, as shown in the screenshot. Click Apply, and then right-click on the File Monitoring node and click Run Now! from the context menu.
  22. Click the SERVER2016node to view the dashboard. Scroll down in the dashboard; observe that the File Monitoring directory is being monitored.
  23. Click Windows Server 2016to switch to the Windows Server 2016 machine Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter. Open txt in the File Directory on Desktop, modify some of the text in the file, and then Save and close the file.
  24. Click Windows 10to switch back to the Windows 10 machine and observe that PA File Sight has recorded some activity in the notepad file, as shown in the screenshot.
  25. The software even shows the File Accessed/min in the graphical method, as shown in the screenshot.
  26. Click on the exelink to view the activities done by the user.
  27. The CEH\Administrator notepad.exewindow appears. If it shows a blank window, then click Windows Server 2016 to switch to the Windows Server 2016 machine, type some content into the txt file, save the file, and then immediately click Windows 10 to switch back to the Windows 10 machine to view the activity.
  28. If you have added some text in the Secret.txt file, you can view that in the activity window.
  29. Click Windows Server 2016to switch back to the Windows Server 2016 machine and delete the txt file, then click Windows 10 to switch back to the Windows 10 machine and scroll down to view the Recent Alerts section; you will find that the file has been deleted.
  30. You can see all the actions performed on that file.

If you do not see the alerts, then click Refresh button to update alerts.

  1. This is how to monitor the file integrity using PA File Sight.
  2. Close all open windows.
  3. You can also use other file and folder integrity checking tools such as Tripwire File Integrity and Change Manager(https://www.tripwire.com), Netwrix Auditor (https://www.netwrix.com), Verisys (https://www.ionx.co.uk), or CSP File Integrity Checker (https://www.cspsecurity.com) to perform file and folder monitoring.

Question 4.7.1:

What is the default port for running central monitoring in this task?

Question 4.7.2:

What is the name of the machine that is being monitored in this task?

Task 8: Perform Device Driver Monitoring using DriverView and Driver Reviver

When the user downloads infected drivers from untrusted sources, the system installs malware along with the device drivers; malware uses these drivers as a shield to avoid detection. One can scan for suspicious device drivers using tools such as DriverView and Driver Reviver that verify if they are genuine and downloaded from the publisher’s original site.

DriverView The DriverView utility displays a list of all device drivers currently loaded on the system. For each driver in the list, additional information is displayed such as the load address of the driver, description, version, product name, and developer.

Driver Reviver Without proper drivers, computers start to misbehave. Sometimes updating the drivers using conventional methods can be a daunting task. Outdated drivers are more vulnerable to hacking and can lead to a breach in the system. Driver Reviver provides an effective way of scanning your PC to identify out of date drivers. Driver Reviver can quickly and easily update these drivers to restore optimum performance to your PC and its hardware and extend its life.

An ethical hacker and penetration tester must scan the system for suspicious device drivers and make sure that the systems runs smoothly by ensuring that all outdated drivers are updated and that the system processes optimized to keep the performance of the system at its peak.

  1. On the Windows 10machine, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Device Drivers Monitoring Tools\DriverView and double-click exe to launch the application.
  2. The DriverViewmain window appears with a list of the installed drivers on your system, as shown in the screenshot.
  3. Right-click on any driver from the list and click Propertiesto view the complete details of the driver.
  4. The Propertieswindow appears with the complete details of the installed driver, as shown in the screenshot. Once the analysis is done, click OK.
  5. This is how to monitor the drivers installed on a machine. Closethe DriverView
  6. Now, we will see how to update system drivers and optimize the PC performance using Driver Reviver.
  7. On Windows 10, navigate to D:\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\Device Drivers Monitoring Tools\Driver Reviver. Double-click exeto launch the setup.
  8. If a User Account Controlwindow appears, click Yes.
  9. Driver Reviver Setupwindow appears, click Next to install the tool.
  10. Installation window appears and after the completion of installation, Driver Reviver initializes the scan for drivers, as shown in the screenshot.

If a browser window opens automatically close the browser.

  1. After the scan finishes, a list of system drivers are displayed.
  2. Along with the list of drivers you can see their Statusas OUTDATED or UP TO DATE.

Here, all the drivers are already up to date.

The result might vary in your lab environment

  1. If the drivers are outdated then you can click Update Allbutton to update all the drivers.
  2. Now, navigate to the Hometab, here you can view information such as System detailsSystemProcessorGraphicsMemory(RAM) and Hard Drives, as shown in the screenshot,
  3. Navigate to the Backuptab, here you can create Backup or Restore the system drivers.
  4. Uninstall the Driver Reviversoftware by navigating to Control Panel –> Programs –> Uninstall a program.

While uninstalling, remove all the files of tools from the system.

  1. Close all open windows.
  2. You can also use other device driver monitoring tools such as Driver Booster(https://www.iobit.com), Driver Easy (https://www.drivereasy.com), Driver Fusion (https://treexy.com), or Driver Genius (http://www.driver-soft.com) to perform device driver monitoring.

Question 4.8.1:

Which of the following machines is used to perform this task?

Windows Server 2019

Parrot Security

Window Server 2016

Windows 10

Task 9: Perform DNS Monitoring using DNSQuerySniffer

DNSQuerySniffer is a network sniffer utility that shows the DNS queries sent on your system. For every DNS query, the following information is displayed: Host Name, Port Number, Query ID, Request Type (A, AAAA, NS, MX, and other types), Request Time, Response Time, Duration, Response Code, Number of records, and the content of the returned DNS records. You can easily export the DNS query information to a CSV, tab-delimited, XML, or HTML file, or copy the DNS queries to the clipboard and then paste them into Excel or another spreadsheet application.

  1. On the Windows 10machine, navigate to D\CEH-Tools\CEHv11 Module 07 Malware Threats\Malware Analysis Tools\Dynamic Malware Analysis Tools\DNS Monitoring Tools\DNSQuerySniffer, and then double-click exe.
  2. The main window of DNSQuerySnifferappears, along with the Capture Options

If the Capture Options window does not appear, then navigate to the Options menu and select Capture Options.

  1. In the Capture Optionswindow, ensure that the WinPcap Packet Capture Driver option is selected under the Capture Method
  2. In the Select network adapter section, select the Windows 10network adapter (here, Ethernet2).
  3. Click OKto start sniffing.
  4. The DNSQuerySniffer starts monitoring the network traffic and takes some time to capture the traffic. Leave the window intact. It shows the DNS queries sent on your system along with its complete information such as host name, port number, request time, response time, duration, source address, and destination address, as shown in the screenshot.

To view the Source Address and Destination Address columns, scroll to the right side of the window.

  1. As you can see in the above screenshot, the DNS address is 8.8.8.
  2. In real-time, attackers will use malicious applications like DNSChanger to change the DNS of the target machine. For demonstration purposes, we are changing the DNS of the Windows 10machine in the Network & Internet settings.
  3. Right-click on the Networkicon in the lower-right corner of Desktop and click Open Network & Internet settings.
  4. The Network Statuswindow appears. Click Change adapter options under Change your network settings.
  5. Right-click on the network adapter (here, Ethernet2) and click Properties.
  6. The Adapter Propertieswindow appears. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties.
  7. The Internet Protocol Version 4(TCP/IPv4) Propertieswindow appears. Change the Preferred DNS server with the Windows Server 2016 IP address and click OK. In this task, the Windows Server 2016 IP address is 10.10.16. This may vary in your lab environment.
  8. Click OK, and then Closethe Adapter Properties window.
  9. Switch to the DNSQuerySnifferwindow; observe the few recorded logs. Right-click on the log for which DNS has changed and select Properties from the context menu.
  10. In the Propertieswindow, observe that there is a change in DNS.
  11. After completion of the task, go to the network settings, change DNS 8.8.8in the Windows 10 machine, and close all applications.
  12. Close all open windows.
  13. You can also use other DNS monitoring/resolution tools such as DNSstuff(https://www.dnsstuff.com), DNS Lookup Tool (https://www.ultratools.com), or Sonar Lite (https://constellix.com) to perform DNS monitoring.

Question 4.9.1:

What is the Capture Method that is selected in Capture Options windows?

PreviousSubmit

Live Chat

 

$20.00

Module 07: Malware Threats

$20.00