For this lab, we begin by launching Process Explorer and procmon. When procmon starts, the events stream by quickly, so we use File ▸ Capture Events to toggle event capture on and off. (It’s best to keep event capture off until all dynamic analysis programs are started and you’re ready to execute the program.) We use Filter ▸ Filter to open the Filter dialog, and then ensure that only the default filters are enabled by clicking the Reset button.

Lab03-03.exe can be run from the command prompt or by double-clicking its icon. Once run, Lab03-03.exe should be visible inside Process Explorer. Notice how it creates the subprocess svchost.exe, and then exits, but leaves the svchost.exe process running as an orphaned process, as shown in Figure C-8. (An orphaned process has no parent process listed in the process tree structure.) The fact that svchost.exe is orphaned is highly unusual and highly suspicious.

Figure C-8. Process Explorer view of orphaned svchost.exe

We investigate further by right-clicking and selecting Properties for the orphaned svchost.exe process. As shown in Figure C-8, the process appears to be a valid svchost.exe process with PID 388, but this svchost.exe is suspicious because svchost.exe is typically a child of services.exe.

From this same properties page, we select Strings to show the strings in both the executable image on disk and in memory. Toggling between the Image and Memory radio buttons shows significant discrepancies between the images. As shown in Figure C-9, the strings in memory on the right contain practicalmalwareanalysis.log and [ENTER], seen at ❶ and ❷, neither of which is found in a typical Windows svchost.exe file on disk, as seen on the left.

Figure C-9. Process Explorer shows strings that are not normally contained in svchost.exe.

The presence of the string practicalmalwareanalysis.log, coupled with strings like [ENTER] and [CAPS LOCK], suggests that this program is a keylogger. To test our assumption, we open Notepad and type a short message to see if the malware will perform keylogging. To do so, we use the PID (found in Process Explorer) for the orphaned svchost.exe to create a filter in procmon to show only events from that PID (388). As you can see in Figure C-10, the CreateFile and WriteFile events for svchost.exe are writing to the file named practicalmalwareanalysis.log. (This same string is visible in the memory view of the orphaned svchost.exe process.)

Figure C-10. Procmon output of svchost.exe with PID 388

Opening practicalmalwareanalysis.log with a simple text editor reveals the keystrokes you entered in Notepad. We conclude that this malware is a keylogger that uses process replacement on svchost.exe.