i Practical Malware Analysis – LAB 01-01 – All things in moderation

Practical Malware Analysis – LAB 01-01

Here is my solution to the lab exercises for the book on Practical Malware Analysis. I am writing my own approach in solving the exercises and hopefully it will provide more insights. Now, let’s go!

This lab uses the files Lab01-01.exe and Lab01-01.dll.
Questions
1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does
either file match any existing antivirus signatures?
2. When were these files compiled?
3. Are there any indications that either of these files is packed or obfuscated?
If so, what are these indicators?
4. Do any imports hint at what this malware does? If so, which imports are they?
5. Are there any other files or host-based indicators that you could look for on infected systems?
6. What network-based indicators could be used to find this malware on machines?
7. What would you guess is the purpose of these files?

1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

Now, we will upload two file Lab01-01.exe and Lab01-01.dll to http://www.VirusTotal.com/ and view the reports.
Lab01-01.exe
You can view reports in here.

Lab01-01.dll
You can view reports in here.

2. When were these files compiled?

The files compiled time can be retrieved from the above VirusTotal.com reports.
Lab01-01.exe
In tag “File detail” in VirutTotal, we can view compiled time.

Lab01-01.dll

3. Are there any indications that either of these files is packed or obfuscated?
If so, what are these indicators?

A quick scan using PEiD tool did not surface any packer being used for Lab01-01.exe and Lab01-01.dll

Open PEiD. Go to tag “Multi Scan”

Choose folder contain Lab01-01.exe and Lab01-01.dll

Result:

We can use IDA-Pro.
Based on IDA PRO’s imports table, Strings and Graph… Lab01-01.dll and Lab01-01.exe do not look like it has been packed or obfuscated.

Lab01-01.exe

Lab01-01.dll

4. Do any imports hint at what this malware does? If so, which imports are they?

Lab01-01.exe

  1. MapViewOfFile: Maps a view of a file mapping into the address space of a calling process. Malware can make changes to the actual file once it is mapped.
  2. CreateFileMappingA: Creates or opens a named or unnamed file mapping object for a specified file.
  3. FindFirstFileA: Searches a directory for a file or subdirectory with a name that matches a specific name (or partial name if wildcards are used).
  4. FindNextFileA: Continues a file search from a previous call to the FindFirstFile, FindFirstFileEx, or FindFirstFileTransacted functions.
  5. CopyFileA: Make a copy of the file

We can deduced that the malware is trying to search for a particular file and attempting to read/write an existing file in the system via MapViewOfFile. It is also trying to copy/dropping a file to another location.

Lab01-01.dll

  1. Sleep: Suspends the execution of the current thread until the time-out interval elapses. Malware usually use this to delay dynamic analysis or simply to wait out for next command
  2. CreateProcessA: Creates a new process and its primary thread. The new process runs in the security context of the calling process.
  3. CreateMutexA: Creates or opens a named or unnamed mutex object. Create mutex lock to prevent multiple running instances of the malware
  4. OpenMutexA: Opens an existing named mutex object.
  5. socket: The socket function creates a socket that is bound to a specific transport service provider.
  6. WSAStartup: The WSAStartup function initiates use of the Winsock DLL by a process.
  7. connect: The connect function establishes a connection to a specified socket.
  8. send: The send function sends data on a connected socket.
  9. recv: The receives function sends data on a connected socket.
  10. inet_addr: You may locate the C&C ip address here
  11. htons: Port that the C&C is using

We can deduced that the malware is trying to establish connection with a server to receive/send commands/data. This malware is capable of remote command execution since it uses CreateProcessA and it probably runs in a infinite loop sleeping in between each loop via the Sleep function.

5. Are there any other files or host-based indicators that you could look for on infected systems?
6. What network-based indicators could be used to find this malware on infected machines?

In Lab01-01.exe, view “String”:

We can look out for 2 files (c:\windows\system32\kerne132.dll & Lab01-01.dll) in the system.

There is a CopyFileA function being called in the exe where Lab01-01.dll is copied to c:\windows\system32\kerne132.dll.

In Lab01-01.dll we can observe the following:

We can see. Ip address(127.26.152.13) and string(SADFHUHF)

7. What would you guess is the purpose of these files?

My guess is that this malware would make a malicious copy of it’s dll by disguising itself as kernel32.dll(in this case is kerne132.dll). This exe will then try to search for some files and infect it to run this dll. The dll is capable of ensuring that only one instance of the malicious code is running since mutex is being used. It will then communicates on a timely basis (Sleep) to the C&C server with IP:127.26.152.13 to receive commands to execute on the victim’s machine.

Next ->>> Lab01-02

Leave a Reply