🛡ī¸
./Malfav.asm
Linkedin
  • 👋./Malfav.asm
    • 🕸ī¸Malfav Agenda
  • 🕷ī¸Malware Introduction
    • 💡What is Malware
      • 🌠FIN Malware
      • đŸĻ˜Cyber Gang Malware
        • 🕷ī¸Spiders Malware
      • đŸ•ĩī¸â€â™€ī¸Cyber Espionage Malware
      • 🍘Cyber Sabotage Malware
      • 🛴Rootkit
        • đŸĢšBootkit
    • đŸĻĢNations State APT
      • đŸ—¯ī¸APT
      • 🇮🇷Iran APT
      • 🇷đŸ‡ēRussian APT
      • 🇨đŸ‡ŗChines APT
      • 🇮đŸ‡ŗIndia APT
      • đŸ‡ĩ🇰Pakistan APT
      • đŸ‡ģđŸ‡ŗVietnamese APT
      • 🇰đŸ‡ĩNorth Korean APT
    • đŸĨ‹Mobile Malware
      • 📲Android Malware
        • 💰Commerical Android Malware
          • Common Android Spyware
        • 🧧Common Android Exploits
          • 0ī¸Common Android 0day
      • 📱IPHONE Malware
        • 🐚Common IPHONE Spyware
        • đŸ’ĨCommerical IPHONE Malware
        • đŸ’ŖCommon IPHONE Exploits
    • 📃Malicious Documents
      • 📨Excel Spreadsheets
      • đŸ—ŧPowerPoint Presentations
      • đŸ¤ēMicrosoft Office Documents
      • 📑PDF
      • 📄Other Document Formats
      • đŸŠŧCommon Techniques Used in Malicious Documents
    • 🏞ī¸Advanced Persistence Threat - APT
      • đŸĨ APT Groups
        • 🇨đŸ‡ŗMustang Panda
        • 🛕Mustard Tempest
        • 🇨đŸ‡ŗNaikon
        • đŸĒĄNEODYMIUM
        • 🇷đŸ‡ēNomadic Octopus
        • 🇮🇷OilRig
        • 🍊Orangeworm
        • 🇮đŸ‡ŗPatchwork
        • 🇨đŸ‡ŗPittyTiger
        • 🌏PLATINUM
        • 🇱🇧POLONIUM
        • đŸ‡ĩ🇹Poseidon Group
        • 🇹🇲PROMETHIUM
        • 🇨đŸ‡ŗPutter Panda
        • đŸĻRancor
        • 🇨đŸ‡ŗRocke
        • đŸĸRTM
        • 🇷đŸ‡ēSandworm Team
        • 🃏Scarlet Mimic
        • đŸ‡Ŧ🇱Scattered Spider
        • đŸ‡ĩ🇰SideCopy
        • 🇮đŸ‡ŗSidewinder
        • 🔕Silence
        • 🇮🇷Silent Librarian
        • đŸ‡ŗđŸ‡ŦSilverTerrier
        • 🐞Sowbug
        • 🔱Strider
        • 🇨đŸ‡ŗSuckfly
        • đŸĨƒTA2541
        • 🇨đŸ‡ŗTA459
        • đŸ’ŧTA505
        • 💰TA551
        • ☁ī¸TeamTNT
        • 🇷đŸ‡ēTEMP.Veles
        • đŸĻŗThe White Company
        • đŸ’ŗThreat Group-1314
        • đŸĢ“Threat Group-3390
        • 🇨đŸ‡ŗThreat Group-3390
        • đŸĻThrip
        • 🐈ToddyCat
        • 🐙Tonto Team
        • đŸ‡ĩ🇰Transparent Tribe
        • 🐠Tropic Trooper
        • đŸĸTurla
        • 🇮🇷UNC788
        • 🇱🇧Volatile Cedar
        • 🇨đŸ‡ŗVolt Typhoon
        • 🕊ī¸Whitefly
        • 🔘Windigo
        • đŸĒŊWindshift
        • 🇨đŸ‡ŗWinnti Group
        • đŸĨ€WIRTE
        • 🇷đŸ‡ēWizard Spider
        • đŸŽĒZIRCONIUM
      • 🏹APT's Software
        • 🐀3PARA RAT
        • 🐀4H RAT
        • ⚱ī¸AADInternals
        • đŸ”ģABK
        • ⚗ī¸AbstractEmu
        • đŸĒąACAD/Medre.A
        • 🇲🇰AcidRain
        • đŸŦAction RAT
  • 🐁OS Internal's
    • 🍩Suspicious API's
      • đŸĒ¨Process Information API's
      • 🧩Registry API's
      • 🔒Encryption API's
      • đŸ“¯Restore Point API's
      • 👾Exfiltration API's
      • đŸĻ‰Data Wiping API's
      • 📨Shadow Copy API's
      • đŸĒŧWhat is Malicious API's Functions
      • đŸŒĒī¸System Information API's
      • 🌀Network Information API's
  • đŸĒŸWindows Internal
    • 📡Windows Internal
      • đŸĻWhy Windows Internal ?
        • đŸĩī¸Process
        • đŸ§ĩThread
        • đŸĒ­Handle
        • 🌐Memory
        • â˜ĸī¸Ram
        • 🤖ROM
  • 👁ī¸â€đŸ—¨ī¸Malware Technique
    • 📓Malware Technique
    • đŸ’ĸObfuscation
      • đŸĻžAnti-Debugging Techniques
      • 🏗ī¸Instruction Substitution
      • 📔Code Obfuscation
      • đŸ“ĻCode Packing
      • 💈Polymorphism
      • đŸŒŦī¸Control Flow Obfuscation
      • đŸĒ…Data Obfuscation
      • 💅Metadata Obfuscation
      • đŸŽŖMetamorphism
      • ⛲Runtime Obfuscation
    • 🛌Persistence Mechanism
      • 🔰Registry Persistence Mechanism
      • 🗑ī¸Task Sch Persistence Mechanism
      • 📂Startup Folder
      • 🎋AppData Folder
      • đŸĒšTemp Folder
  • ⚔ī¸Malware Resources
    • đŸ‘ģMalware Resources
    • 🎇Malware Sample Resources
      • 🌡ī¸VirusShare
      • ♠ī¸MalShare
      • đŸšĨMalwareTraffic
      • 🚏Malware Bazaar
  • Malware Analysis Toolkit
    • 🧌Windows Malware Analysis Toolkit
      • 💉Common Online Malware Analysis Toolkit
        • 💎Joe Sandbox
        • đŸŽĒVT - VirusTotal
        • đŸ‘ŊThreat.Zone
        • đŸĻHybrid Analysis
        • đŸĻ„Any.run
        • đŸĨĢFilescan
      • đŸĨStatic Analysis Tools
        • 🍡Advance Static Analysis Tool
      • 💠Dynamic Analysis Tool
        • Advance Dynamic Analysis Tool
      • đŸĨœNetwork Analysis Tool
      • đŸĨŸString Dumpers Toolkit
        • 📏Strings
        • đŸĻžFloss
    • 📱Android Malware Analysis Toolkit
      • 🕹ī¸Static Analysis Toolkit
      • 💠Dynamic Analysis Toolkit
      • đŸĢ’Online Analysis Toolkit
    • 📱IPHONE Malware Analysis Toolkit
      • đŸĨĸStatic Analysis Toolkit
      • â™Ļī¸Dynamic Analysis Toolkit
    • đŸ’ģMAC OSX Malware Analysis Toolkit
      • đŸ“¯Static Analysis Toolkit
      • 🍭Dynamic Analysis Toolkit
      • đŸŒŦī¸Online Analysis Toolkit
  • Books and Guidelines
    • 🔋Books and Guidelines for Malware Analysis .
      • 🏋ī¸â€â™€ī¸Android Malware Analysis 101
      • đŸĨ–Common Anti-Forensics
      • đŸĻŖMemory Forensics GUI
      • đŸ“ŧAssembly for Malware Analyst
      • 💾Disk Image Forensics
      • ⚡Volatility Noob to Pro
  • 📋Malware Analysis Tips
    • 🖇ī¸Malware Analysis Tips
      • 🏮Memory Malware Analysis
      • 🐜Technique to Investigate Process
      • đŸ’ĨProcess Lists 1
      • đŸ’ĨProcess Lists 2
      • đŸ’ĨProcess Lists 3
  • đŸ§ŊIncident Response
    • đŸŗWhat is Incident Response
      • Incident Response Tools
      • Incident Response Toolkit
  • Technical Analysis Report
    • đŸĻŽTechnical Analysis Report
      • 🧲Stuxnet Memory Analysis
  • 🚨Rootkit Removal
    • 🤖Rootkit Removal
  • 🗜ī¸Antivirus Artifact
    • ã€Ŋī¸Antivirus Artifact
      • 🀄Antivirus Process Name
  • 🧠Malware Author Mindset
    • đŸ’ŊMalware Author Mindset
      • đŸĢHow Malware Author Terminate Antivirus Process during runtime ?
Powered by GitBook
On this page
  1. Malware Technique
  2. Persistence Mechanism

Startup Folder

The Startup folder is a specific location in Windows where programs and shortcuts can be placed to automatically run when a user logs into the system. Malware can exploit this folder for persistence, ensuring that it runs every time the user starts their session. Here's a detailed overview:

Location of Startup Folders

  1. For All Users:

    • Path: %ProgramData%\Microsoft\Windows\Start Menu\Programs\StartUp

    • Location: This folder affects all users on the system. Any shortcut or executable placed here will run for every user who logs in.

  2. For Current User:

    • Path: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup

    • Location: This folder is specific to the currently logged-in user. Programs or shortcuts placed here will only run when this particular user logs in.

How Malware Uses the Startup Folder

  • Placing Shortcuts: Malware often creates a shortcut to its executable in one of these Startup folders. This method ensures that the malware executable is launched automatically each time the user logs in.

  • Creating Executables: Less common but more direct, malware might drop an executable directly into the Startup folder. While this method is less discreet, it is sometimes used to ensure execution.

Detection and Mitigation

  1. Detection:

    • Manually Checking the Startup Folder:

      • Open File Explorer and navigate to the respective Startup folder paths.

      • Look for any unfamiliar or suspicious shortcuts or executables.

    • Using Tools:

      • Task Manager: Go to the Startup tab to view and manage startup applications.

      • Autoruns: Sysinternals' Autoruns tool provides a comprehensive view of all startup locations, including Startup folders, and allows for easy management of startup entries.

  2. Mitigation:

    • Regular Audits: Periodically review the contents of both Startup folders for any unauthorized or suspicious items.

    • Restrict Permissions: Limit user permissions to prevent unauthorized modification of the Startup folders.

    • Use Antivirus/Antimalware: Ensure that you have up-to-date antivirus or antimalware solutions that can detect and remove malicious entries from Startup folders.

The Startup folder is a straightforward yet effective method for malware to achieve persistence, and regular monitoring and management are crucial for maintaining system security.

PreviousTask Sch Persistence MechanismNextAppData Folder

Last updated 10 months ago

👁ī¸â€đŸ—¨ī¸
🛌
📂
Page cover image