Research Article
Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer
Table 2
Some detailed analysis results for backdoor/Win32.Hupigon.hypj.
| | Behavior | Behavior parameter | | Description from human analyst | Osiris |
| | Create file | %Program Files%∖Common Files∖Microsoft Shared∖
MSInfo∖Virtualnat.exe; | C:∖Program Files∖Common Files∖Microsoft Shared∖
MSINFO∖Virtualnat.exe | | Copy file | × | Source path: C:∖Program Files∖Common Files∖
Microsoft Shared∖MSINFO∖Virtualnat.exe | | Target path: C:∖Program Files∖_Virtualnat.exe | | Search file | klif.sys | C:∖WINDOWS∖system32∖drivers/klif.sys | | Set registry key | HKEY_LOCAL_MACHINE∖SYSTEM∖CurrentControlSet∖
Services∖Virtualnat∖Description | HKEY_LOCAL_MACHINE∖SYSTEM∖
CurrentControlSet∖Services∖Virtualnat | | Create process | iexeplore.exe | C:∖program files∖internet explorer∖IEXPLORE.EXE | | Create process | calc.exe | C:∖WINDOWS∖system32∖calc.exe | | Inject process | iexeplore.exe | iexeplore.exe | | Inject process | calc.exe | calc.exe | | Create service | × | Image path: C:∖Program Files∖Common Files∖
Microsoft Shared∖MSINFO∖Virtualnat.exe | | Description: Virtual Network Control Service | | Connect remote port | TCP; port number: 80; IP address: 60.190.92.75 | TCP; port number: 80 | | Open URL | × | http://www.5ai8.net/ip.txt | | Create window | × | TApplication |
|
|
