malware

Behaviour expectations

the malware dumps the three registries sam, security and system to the %temp% folder as .save files. From those three registries, execute the dump.exe that was extracted from the resource section and written to the temp folder. On execution a new file hash.txt in the %temp% folder will be created that contains the hashes of the users.

How to open

1. Clone the repository to local host
2. Open Visual Studio 2019
3. Navigate on File -> Open -> Project/Solution
4. Choose the CSS579.sln file

How to build

1. Set the project to Debug x86 mode
2. Navigate to Build -> Build Solution
3. Open the root folder of the project
4. Under the Debug folder, you will find the exe

How to run

1. Download the binary from github release or build your own one from source code
2. Open a command prompt (cmd) with administrator privileges
3. Navigate to exe directory or drag the exe to the cmd window
4. Execute the exe

> malware.exe

How to run secretsdump

• Load the secretsdump.exe in a command prompt with administrator privilege
• Then append the flags:
  • -sam sam.save -security security.save -system system.save LOCAL
• This should then print out the hashes
• In order to get the three files sam.save; security.save; system.save, run the exe that you built.