COVID-19 Malware Analysis
Stats about Corona-related infections, deaths, transmissions are in high demand and everyone is searching for them. Malicious actors take advantage of this situation and by spreading malware as “Coronavirus map”.
Sample Analyzed:-
General Info:-
I am using Remnux Linux and windows 10 machine for the analysis, so our first step is to find out which type of malware it is using Peframe tool
And then find entropy value and Characteristics using Peframe.exe in windows Analysis (entropy value 7=>8 ) some data or process are inside the malware
Trigger the Corona-virus-Map.com.exe in a sandbox windows machine and keep the Wireshark and Procmon ready to analyze it in the background. Analyze the processor id, tree structure, modified file path, files dropped.
here you can see some suspicious executions, also you can find some of the dropped files like windows.Globalization.Fontgroup.exe
Also, we can see a compressed file and once you extract it, we can see the following information
YARA rules are used to look for that code along with some of the malware’s functions and features.
in the Peframe tool, we are able to get what is present in the DLL file
using the TRID tool we can find collected data Info
And I am using regshot to find out which files are affected, added, modified, registry modified information can be obtained.
And finally, this data is through the breakpoints DNS
gisanddata.maps.arcgis.com
coronavirusstatus.space
api.telegram.org
ipapi.co
js.arcgis.com
Note:- This lab setup in host-only adapter internally reaching with two os flavors (LINUX, WINDOWS)
Just checking for coronavirusstatus.space in virustotal is the most vulnerable website.
