Typical malware behavior

Malware is simply defined as malicious software. You'd expect bad things to happen to

your system environment once malware has entered. Once typical malware enters the

system, it does two basic things: installs itself and does its evil work. With the intent of

forcing itself to be installed in the system malware does not need to notify the user at all.

Instead, it directly makes changes to the system.


Persistence

One of the changes malware makes in the system is to make itself resident. Malware

persistence means that the malware will still be running in background and, as much as

possible, all the time. For example, malware gets executed after every boot-up of the

system, or malware gets executed at a certain time of the day. The most common way for

malware to achieve persistence is to drop a copy of itself in some folder in the system and

make an entry in the registry.

The following view of the registry editor shows a registry entry by the GlobeImposter

ransomware:


Any entries made under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\

Windows\CurrentVersion\Run are expected to run every time Windows starts. In this

case, the GlobeImposter ransomware's executable file stored

in C:\Users\JuanIsip\AppData\Roaming\huVyja.exe becomes persistent.

BrowserUpdateCheck is the registry value, while the path is the registry data. What

matters under this registry key are the paths, regardless of the registry value name.

There are several areas in the registry that can trigger the execution of a malware executable

file.


Run keys

Entering a file path in the registry data under these registry keys will trigger execution

when Windows starts, as can be seen in the following registry path for the Windows 64-bit

versions


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru

n


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru

nOnce


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru

nOnceEx


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru

nServices


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\N\RunServicesOnce


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Po

licies\Explorer\Run


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Windows\CurrentVersion\

Run




Programs that are listed under these registry keys will trigger execution when the current

user logs in, as can be seen in the following registry path:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

Once


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

OnceEx


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru

nServices


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Ru

nServicesOnce


HKEY_CURRENT_USER\Software\Microsoft\Windows

NT\CurrentVersion\Windows\Run



The keys names containing Once will have the listed programs that run only once. The

malware may still persist if it keeps on placing its own file path under the RunOnce,

RunOnceEx or RunServicesOnce keys.