Analysis of a Simple Trojan Downloader

Warning: This writeup is for educational purposes only. Always analyze malware in isolated environments.

This writeup demonstrates basic malware analysis techniques using a sample trojan downloader. The sample has been analyzed in an isolated virtual environment.

Executive Summary

The analyzed sample is a simple trojan downloader that:

Establishes persistence via registry key
Downloads secondary payload from C2 server
Executes downloaded payload in memory

Static Analysis

File Information

Property	Value
File Type	PE32 Executable
Architecture	x86
Compiler	MSVC
Packed	No

Import Analysis

Key imports observed:

KERNEL32.dll
- CreateFileA
- WriteFile
- VirtualAlloc
- WinExec

WININET.dll
- InternetOpenA
- InternetOpenUrlA
- InternetReadFile

These imports suggest network communication and file operations.

String Analysis

Interesting strings found:

Software\Microsoft\Windows\CurrentVersion\Run
http://malicious-c2-example[.]com/payload.exe
C:\Users\Public\update.exe

Behavioral Summary

Creates persistence mechanism
Contacts C2 server
Downloads payload
Executes payload

YARA Rule

rule TrojanDownloader_Sample {
    meta:
        description = "Detects sample trojan downloader"
        author = "Samuele"
        date = "2024-03-01"

    strings:
        $s1 = "InternetOpenUrlA" ascii
        $s2 = "CurrentVersion\\Run" ascii
        $s3 = "VirtualAlloc" ascii

    condition:
        uint16(0) == 0x5A4D and
        all of ($s*)
}

Conclusion

This sample demonstrates common trojan downloader behavior. The lack of obfuscation makes it suitable for learning basic analysis techniques.

References

REMnux documentation
Practical Malware Analysis (book)

Sample Hash: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

This writeup demonstrates basic malware analysis techniques using a sample trojan downloader. The sample has been analyzed in an isolated virtual environment.

Executive Summary

The analyzed sample is a simple trojan downloader that:

Establishes persistence via registry key
Downloads secondary payload from C2 server
Executes downloaded payload in memory

Static Analysis

File Information

Property	Value
File Type	PE32 Executable
Architecture	x86
Compiler	MSVC
Packed	No

Import Analysis

Key imports observed:

KERNEL32.dll
- CreateFileA
- WriteFile
- VirtualAlloc
- WinExec

WININET.dll
- InternetOpenA
- InternetOpenUrlA
- InternetReadFile

These imports suggest network communication and file operations.

String Analysis

Interesting strings found:

Software\Microsoft\Windows\CurrentVersion\Run
http://malicious-c2-example[.]com/payload.exe
C:\Users\Public\update.exe

Behavioral Summary

Creates persistence mechanism
Contacts C2 server
Downloads payload
Executes payload

YARA Rule

rule TrojanDownloader_Sample {
    meta:
        description = "Detects sample trojan downloader"
        author = "Samuele"
        date = "2024-03-01"

    strings:
        $s1 = "InternetOpenUrlA" ascii
        $s2 = "CurrentVersion\\Run" ascii
        $s3 = "VirtualAlloc" ascii

    condition:
        uint16(0) == 0x5A4D and
        all of ($s*)
}

Conclusion

This sample demonstrates common trojan downloader behavior. The lack of obfuscation makes it suitable for learning basic analysis techniques.

References

REMnux documentation
Practical Malware Analysis (book)

Indicators of Compromise (IOCs)

Type	Value
SHA256	`e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`
Domain	`malicious-c2-example.com`
IP	`192.0.2.1`

Table of Contents

Executive Summary

Static Analysis

File Information

Import Analysis

String Analysis

Behavioral Summary

YARA Rule

Conclusion

References

Indicators of Compromise (IOCs)