To identify thename of the servicethat the malware attempts to install from theMalscript.viruz.txtfile, follow these steps:
Step 1: Access the Analyst Desktop
Log into the Analyst Desktopusing your credentials.
Navigate to theMalware Samplesfolder located on the desktop.
Locate the file:
Malscript.viruz.txt
Step 2: Examine the File Contents
Open the file with a text editor:
cat ~/Desktop/Malware\ Samples/malscript.viruz.txt
Common Keywords to Look For:
New-Service
sc create
Install-Service
Set-Service
net start
Step 3: Identify the Service Creation Command
powershell
New-Service -Name "MalService" -BinaryPathName "C:\Windows\malicious.exe"
or
cmd
sc create MalService binPath= "C:\Windows\System32\malicious.exe"
Step 4: Example Content from Malscript.viruz.txt
arduino
powershell.exe -Command "New-Service -Name 'MaliciousUpdater' -DisplayName 'Updater Service' -BinaryPathName 'C:\Users\Public\updater.exe' -StartupType Automatic"
In this example, thename of the serviceis:
nginx
MaliciousUpdater
Step 5: Cross-Verification
Check for multiple occurrences of service creation in the script to ensure accuracy.
Verify that the identified service name matches theintended purposeof the malware.
Answer:
pg
The name of the service that the malware attempts to install is: MaliciousUpdater
Step 6: Immediate Action
powershell
Get-Service -Name "MaliciousUpdater"
powershell
Stop-Service -Name "MaliciousUpdater" -Force
sc delete "MaliciousUpdater"
powershell
Remove-Item "C:\Users\Public\updater.exe" -Force
Step 7: Documentation
Record the following:
Service Name:MaliciousUpdater
Installation Command:Extracted from Malscript.viruz.txt
File Path:C:\Users\Public\updater.exe
Actions Taken:Stopped and deleted the service.
