Support & Downloads

Quisque actraqum nunc no dolor sit ametaugue dolor. Lorem ipsum dolor sit amet, consyect etur adipiscing elit.

s f

Contact Info
198 West 21th Street, Suite 721
New York, NY 10010
youremail@yourdomain.com
+88 (0) 101 0000 000
Follow Us

Hunting Malware and Viruses by Detecting Random Strings Using SureLog SIEM

There are malware tools available that can create Windows services with random service names and descriptions. Emotet infection is an example of malicious services created on the machine. This is due to how Emotet installs itself on a machine, creating randomly named numeric services, which in turn try to run another randomly named executable in C:\Windows [1].  The example below shows four Emotet services (other may have more) that have been created on an infected machine.

Figure 1. Malicious Service

 

Numerous malware families also create registry keys for persistence with randomized key names and values [2]. Filenames are also may be an indicator of malware [3,4]. Also Emotet s utilize random file names. Emotet is an advanced, modular banking Trojan that primarily functions as a downloader or dropper of other banking Trojans. Emotet continues to be among the costliest and destructive malware affecting state, local, tribal, and territorial (SLTT) governments, and the private and public sectors.

One last example is process names; often malware will put itself, randomly named, into a randomly named folder in AppData. There are actually two potential applications here: one for the name of the binary itself, and one for the randomly named folder in which it resides [5].

 

Monitoring for infected files

  • C:Windows
  • C:Program Files
  • C:\Windows\ProgramData
  • C:Users/[current user]/AppData
  • C:Users/[current user]/AppData/Roaming
  • C:Users/[current user]/AppData/Roaming/Microsoft
  • C:/Windows/SysWOW64
  • …..

 

SureLog detects randomly-named files, registry keys, services and processes (Both created and spawned by) in real time.

SureLog utilizes:

Event ID 7045 – A service was installed in the system

Event ID 4688 – A new process has been created

Event ID 4656 – A handle to an object was requested. File and Registery

Event ID 4697 – A service was installed in the system

Sysmon [7]

And in Linux, just monitor /var/log/audit/audit.log file.

Figure 2. Malicious Registry Key

Figure 3. SureLog Suspicious File Detection Reports

Figure 4. SureLog Suspicious Services Detection Reports

Suspicious processes, files and services are detected in real time and depicted to the InstallOperation field on the SureLog schema. SureLog utilizes ML to detect suspicious processes, files and services.

Figure 5. SureLog Related Rules

 

 

References