) is an open source registry comparison tool that allows you to take and compare two registry snapshots.
To use Regshot for malware analysis, simply take the first shot by clicking the 1st Shot button, and then run the malware and wait for it to finish making any system changes. Next, take the second shot by clicking the 2nd Shot button. Finally, click the Compare button to compare the two snapshots.
Example 3-1. Regshot comparison results
Regshot Comments: Datetime: <date> Computer: MALWAREANALYSIS Username: username ---------------------------------- Keys added: 0 ---------------------------------- ---------------------------------- Values added:3 ---------------------------------- ❶ HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckr:C:\WINDOWS\system32\ ckr.exe ... ... ---------------------------------- Values modified:2 ---------------------------------- ❷ HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 00 43 7C 25 9C 68 DE 59 C6 C8 9D C3 1D E6 DC 87 1C 3A C4 E4 D9 0A B1 BA C1 FB 80 EB 83 25 74 C4 C5 E2 2F CE 4E E8 AC C8 49 E8 E8 10 3F 13 F6 A1 72 92 28 8A 01 3A 16 52 86 36 12 3C C7 EB 5F 99 19 1D 80 8C 8E BD 58 3A DB 18 06 3D 14 8F 22 A4 ... ---------------------------------- Total changes:5 ----------------------------------
As you can see ckr.exe creates a value at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run as a persistence mechanism ❶. A certain amount of noise ❷ is typical in these results, because the random-number generator seed is constantly updated in the registry.
As with procmon, your analysis of these results requires patient scanning to find nuggets of interest.
Войти в систему
Войти с помощью соц. сетей:
