i Practical Malware Analysis – LAB 01-02 – All things in moderation

# Practical Malware Analysis – LAB 01-02

Analyze the file Lab01-02.exe.

Questions
1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
4. What host- or network-based indicators could be used to identify this malware on infected machines?

Tool
– IDA-Pro
– PEiD
– UPX

1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?


We upload file Lab01-02.exe to http://www.VirusTotal.com/ and view the report.
You can view report in here.

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.


UPX Packer Detected:

Use PEiD we can see:

Nothing found on peid but EP Section says: UPX1

Using IDA:

Tail Jump in Graph

Import

String

We are pretty sure that the exe is packed using UPX. Now, we will unpack using UPX command line itself.

Let’s upload the unpacked binary to virus total again.
Report:

3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?


InternetOpenA: Initializes an application’s use of the WinINet functions we can see what user agent is used to initiate the connection.
InternetOpenUrlA: Opens a FTP or HTTP URL
CreateMutexA: Create mutex lock to prevent multiple running instances of the malware
OpenMutexA: Open a created mutex
CreateServiceA: Create a service object to the victim’s machine. Often use for persistency
OpenSCManagerA: Called before CreateService is invoked to establish a connection to the service control manager
StartServiceCtrlDispatcherA: When the service control manager starts a service process, it waits for the process to call the StartServiceCtrlDispatcher function: The main thread of a service process should make this call as soon as possible after it starts up

I think that this malware is trying to install a service for persistency. It probably uses http traffic to get commands from the C&C server.

4. What host- or network-based indicators could be used to identify this malware on infected machines?


In Lab01-02(unpacket), we will see:

View string, we will see:

Url: http://www.malwareanalysisbook.com with IP: 184.168.221.22
And a mutex (HGL345) on the victim machine.

Service name: Malservice