A funny suspected malicious software(notepad.exe) analysis

My colleague send me some exe files, he wants to check if they are really the malicious.
Because in the vt, most of the anti-av say they are the malicious.

Just take one as the example.

You can find static and the dynamic scan details here:

From the antiav section:
we found many alerts:

But from the dynamic result,
I found the there was no abnormal actions in the execution flow.
So it’s the false positive?
But many av alerts.
At last, I found the reason working with nEINEI.

The section of this PE file has been changed.

The Attribute of this section has been update to rwe.

And also found someone inject some datas into this section.

But the entry point has not been changed, So it can’t jump to this section to execute the code.

So the file is a nice file with a bad section.
That’s why lots of the av alerts :)

现有 2 条评论

  1. pugu49 2015/03/05 pm 3:18

    Pheenmnoal breakdown of the topic, you should write for me too!

  2. pugu49 2015/03/05 pm 3:13

    You make thngis so clear. Thanks for taking the time!



带 * 的是必填项目,电子邮件地址不会被公开。

Are you human? Click the Grapes...