Skip to content

Persistence Analysis Remediation Python PopUp Malware

  • LAB TIME: Le PeΔ—stistence

  • Download my Python-coded annoying pop up-ware and remediate yourself from the ever running hell RUN ON AVM LINK

  • The link will be sent on the WhatsApp group

  • Group up, write a report documenting your work after discovering how does this malware-Ish persist, you should also document the remediation actions.

  • This is a 40-ish minutes lab

  • HINT: go to REGSEEK (not the academic search engine)

πŸ”Ή Scenario

  • You have a Python script that displays annoying pop-up advertisements and remains active in the system (i.e., it continues running automatically even after a system restart).

  • Objective:

  • Identify the mechanism by which the program persists in the system.

  • Explain the steps involved in analyzing and documenting the issue, as well as the steps for removing the program.

πŸ”Ή Initial Setup

  1. Opened the Virtual Machine prepared for the lab "Malware LAB".

  2. Downloaded the program from the link and then isolated the network on the machine, set it to HostOnly, because it must be tested in a contained environment.

  1. Before isolating the machine, installed 7Zip to extract compressed files easily, then isolated the machine again.

  2. Disabled Windows Defender and anything that could prevent the malware from running.

  3. Extracted the folder using 7Zip (Password: infected).

πŸ”Ή Initial File Analysis

  • File Name: what_have_i_become.exe

  • File Type: Application (.exe)

  • Size: 7.72 MB (8,103,596 bytes)

Running the Malware:

  • Extremely annoying pop-ups appeared:

  • Performed End Task from Task Manager to make the pop-ups disappear.

πŸ”Ή Startup / Persistence Check

  • Opened Task Manager β†’ Startup:

  • Found a new app with the same icon named: runme.exe

  • Opened Open File Location:

  • File location:
C:\Users\as\AppData\Roaming

Analysis:

  • After running what_have_i_become.exe:

  • Pop-ups run in a continuous loop even if End Task is used.

  • The program added itself automatically to Startup under a different name (runme.exe) to run on every reboot.

πŸ”Ή Auto-Start Keys

Auto-Start Methods Tried

  1. Startup Folder (Per user / System-wide)

  2. C:\Users\as\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup β†’ per user.

  3. C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup β†’ system-wide.

  4. Note: Some programs require administrative privileges or Compatibility Mode to run from Startup.

  5. Task Manager β†’ Startup Tab

  6. Automatically adds the program to the internal Run key or sets it up to launch.

  7. Problem: If the program is not officially installed or untrusted, it might not appear or run.

  8. Registry β†’ HKCU\…Run

  9. HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  10. Runs for the current user, and indeed the file was found here.

  11. Registry β†’ HKLM\…Run

  12. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

  13. Runs for all users (requires administrative privileges), and it was not present due to insufficient permissions.

πŸ”Ή Windows Malware Persistence Run Key

  • Opened Registry Editor:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

![[Pasted image 20250921203508.png]]

Persistence Mechanism:

  • The file runme.exe is present here as a text (REG_SZ) β†’ any file here runs automatically at every Boot for the current user.

πŸ”Ή Using RegSeek

  • After identifying the malware location, used RegSeek mentioned in the hint:
## Registry Run Keys Persistence

persistence-methods high priority

HKLM\Software\Microsoft\Windows\CurrentVersion\Run 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce 
HKCU\Software\Microsoft\Windows\CurrentVersion\Run 
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices 
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

### Artifact Overview

### What It Stores

Registry locations where Windows automatically executes programs during user logon or system startup. HKLM keys run for all users with SYSTEM privileges, HKCU keys run for specific users with user privileges. RunOnce keys execute once then delete themselves. RunServices keys exist on older Windows versions for service startup.

### Forensic Value

Primary persistence mechanism used by malware, backdoors, and legitimate software. Shows what programs automatically start with Windows. Critical for identifying unauthorized persistence and malware installation. Can reveal privilege escalation attempts and system compromise indicators. Essential for incident response triage.
Simplified Explanation:

  1. RegSeek’s Purpose:

  2. Find registry locations where any program, malware or legitimate, can add itself to automatically run on Windows startup.

  3. Keys of Focus:

  4. HKLM\Software\Microsoft\Windows\CurrentVersion\Run β†’ runs for all users (requires SYSTEM privileges).

  5. HKLM\...\RunOnce β†’ same idea but runs only once then deletes itself.

  6. HKCU\...\Run β†’ runs for the current user only (normal user privileges).

  7. HKCU\...\RunOnce β†’ runs once per user.

  8. HKLM\...\RunServices and RunServicesOnce β†’ present in older Windows versions for service startup.

  9. What These Keys Store:

  10. Paths or file names that execute automatically at login or system startup.

  11. Forensic Value:

  12. Primary mechanism for persistence in malware.

  13. Helps detect suspicious programs, privilege escalation attempts, and system tampering.

πŸ”Ή Persistence Removal / Remediation

  1. Open Registry Editor (regedit.exe).

  2. Navigate to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  1. Locate the value associated with runme.exe.

  2. Delete it (Right-click β†’ Delete).

  3. Navigate to the original file location:

C:\Users\as\AppData\Roaming\runme.exe

and delete it.

  1. Reboot the system to ensure the pop-ups are gone.

πŸ”Ή Verification After Removal

  • After reboot:

  • Pop-ups no longer appear.

  • Registry β†’ HKCU\…Run does not contain the key.

  • System is clean and free of persistence.

βœ… Summary

  • Malware relies on:

  • Registry Key: HKCU\…Run

  • Startup Folder: to launch itself at Boot

  • Persistence was successfully identified and removed:

  • Deleted the registry value

  • Deleted the original file

  • Verified after reboot

  • Important Security Lesson:

  • Always test any malware in an isolated VM and temporarily disable protections.

  • Monitoring Startup and Registry helps detect suspicious programs.

  • 21-09-2025

  • Abdelwahab Ahmed Abdelwahab Mohamed