Typical malware behavior
Malware is simply defined as malicious software. You'd expect bad things to happen to
your system environment once malware has entered. Once typical malware enters the
system, it does two basic things: installs itself and does its evil work. With the intent of
forcing itself to be installed in the system malware does not need to notify the user at all.
Instead, it directly makes changes to the system.
Persistence
One of the changes malware makes in the system is to make itself resident. Malware
persistence means that the malware will still be running in background and, as much as
possible, all the time. For example, malware gets executed after every boot-up of the
system, or malware gets executed at a certain time of the day. The most common way for
malware to achieve persistence is to drop a copy of itself in some folder in the system and
make an entry in the registry.
The following view of the registry editor shows a registry entry by the GlobeImposter
ransomware:
Any entries made under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run are expected to run every time Windows starts. In this
case, the GlobeImposter ransomware's executable file stored
in C:\Users\JuanIsip\AppData\Roaming\huVyja.exe becomes persistent.
BrowserUpdateCheck is the registry value, while the path is the registry data. What
matters under this registry key are the paths, regardless of the registry value name.
There are several areas in the registry that can trigger the execution of a malware executable
file.
Run keys
Entering a file path in the registry data under these registry keys will trigger execution
when Windows starts, as can be seen in the following registry path for the Windows 64-bit
versions
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
n
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
nOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
nOnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
nServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\N\RunServicesOnce
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Po
licies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Windows\CurrentVersion\
Run
Programs that are listed under these registry keys will trigger execution when the current
user logs in, as can be seen in the following registry path:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Once
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
OnceEx
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
nServices
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru
nServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows
NT\CurrentVersion\Windows\Run
The keys names containing Once will have the listed programs that run only once. The
malware may still persist if it keeps on placing its own file path under the RunOnce,
RunOnceEx or RunServicesOnce keys.