Research Article
Osiris: A Malware Behavior Capturing System Implemented at Virtual Machine Monitor Layer
Table 2
Some detailed analysis results for backdoor/Win32.Hupigon.hypj.
| Behavior | Behavior parameter | Description from human analyst | Osiris |
| Create file | %Program Files%∖Common Files∖Microsoft Shared∖ MSInfo∖Virtualnat.exe; | C:∖Program Files∖Common Files∖Microsoft Shared∖ MSINFO∖Virtualnat.exe | Copy file | × | Source path: C:∖Program Files∖Common Files∖ Microsoft Shared∖MSINFO∖Virtualnat.exe | Target path: C:∖Program Files∖_Virtualnat.exe | Search file | klif.sys | C:∖WINDOWS∖system32∖drivers/klif.sys | Set registry key | HKEY_LOCAL_MACHINE∖SYSTEM∖CurrentControlSet∖ Services∖Virtualnat∖Description | HKEY_LOCAL_MACHINE∖SYSTEM∖ CurrentControlSet∖Services∖Virtualnat | Create process | iexeplore.exe | C:∖program files∖internet explorer∖IEXPLORE.EXE | Create process | calc.exe | C:∖WINDOWS∖system32∖calc.exe | Inject process | iexeplore.exe | iexeplore.exe | Inject process | calc.exe | calc.exe | Create service | × | Image path: C:∖Program Files∖Common Files∖ Microsoft Shared∖MSINFO∖Virtualnat.exe | Description: Virtual Network Control Service | Connect remote port | TCP; port number: 80; IP address: 60.190.92.75 | TCP; port number: 80 | Open URL | × | http://www.5ai8.net/ip.txt | Create window | × | TApplication |
|
|