Malware developers commonly program the code behind malware to perform malicious actions on targeted systems for nefarious purposes. One particular activity used by malware developers and their malware programs is to modify the contents of the targets host such as the registry in a Windows system architecture. The reason behind this is to protect the malware’s execution during the system reboot process to ensure persistence access on the host.
The registry on Windows systems is used as a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager (SAM), and user interface can all use the registry.
Some common registry keys used my malware can be found below:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
Startup=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\User Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\Shell Folders]
“Common Startup”=”C:\windows\start menu\programs\startup”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce]
“Whatever”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“Service”=”c:\runfolder\program.exe”
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices]
“Service”=”c:\runfolder\program.exe”