Questions On The And System

1228 Words5 Pages
As you can see from the image, the uTorrent.exe 3.4.0 was installing other executable file with two extension file a .tmp.exe, this means when the installation is finished you will noticed in one of the folder directory that is named utt37C5.tmp. The user would not think anything of it because it looks like a temporary file only. This is because in Windows operating system the option “Hide Extensions for Known File types” is marked with a check (activated) by default. The user will never notice the .exe extension file, the only thing the user will notice was the .tmp and this trick is called extension spoofing. While the uTorrent was being installed I continued to monitor for more activities. The dllhost.exe is a common process in the…show more content…
2031. Though, I have seen many cases like this before that some malware use it for malicious purposes. See the image below. After running the uTorrent.exe 3.4.0 I in Sandboxie I was still not satisfied with the results. The next step I executed the uTorrent 3.4.0 in a clean copy of Windows Vista and dumped the RAM to see if these malware do really exist. After allowing the uTorrent.exe ran for awhile in a clean Windows Vista OS, I then used the tool called DumpIt.exe to dump the memory RAM for later examination. To read the strings and data in raw memory dump I used the tool called HxD (hexeditor). After examining the raw dump memory I found numerous packers, scrambler, encrypter and junk code that came with uTorrent.exe 3.4.0. As you can from the image, all these reside in the memory after installing the uTorrent.exe. What is interesting is they’re all sitting there silently without the user’s knowledge. Next I followed the name AHTeam which stands for Alien Hack Team. According to their website they are a group of professional reverse engineers, they do freelance service. In my opinion someone paid for their source code protection service or reverse engineer the applications to avoid detection. This stub is packed with JunkCode. This junk code is inserted before and after by variations of junk code to the file. This ultimately gives the malware an advantage to last longer without being detected and to slow down the analysis during the
Open Document