Basic Static Analysis
Lab 1-1
This lab uses the files Lab01-01.exe and Lab01-01.dll.
Upload the files to http://wwww.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signature ?
a) Lab01-01.exe
Virus Total detected a potential Trojan. The signature (MD5) of the malware is bb7425b82141a1c0f7d60e5106676bb1
50/70 positifs antivirus
b) Lab01-01.dll
The signature of the malware is 290934c61de9176ad682ffdd65f0a669
42/67 positifs antivirus
Signature of malware can be generated with WinMD5..
When were these files compiled ?
Theses binaries were compile on 19/12/2010 at 16h16
Are there any indications that either of these files is packed or obfuscated if so, what are these indicators ?
a) PEiD
We start PEiD to see if files are packed or obfuscated. The tool detect that the executable and the DLL were compile with Microsoft Visual C++ 6.0. Currently, there are no obvious footprints of a packer.
b) Dependencies Walker
Three DLL are used by the malware, functions that are imported aren’t obfuscated.
- KERNEL32.DLL
- MSVCRT.DLL
- WS2_32.DLL
c) PEView
PEView allow us to analyze each section of a PE. If the virtual size is close to the disk size then the malware isn’t packed. Nevertheless, if the virtual size is greater than disk size, the malware is packed.
Section | Virtual Size | Size of raw data |
---|---|---|
.text | 1000 | 970 |
.rdata | 2B2 | 1000 |
.data | FC | 1000 |
The memory size isn’t greater than the disk size. To conclude the malware isn’t packed
Do any imports hint at what this malware does ? If so, which imports are they ?
We use Dependencies Walker to list all the imported functions. Some of them can be usefull for a malware:
- CreateFileA (Création d’un fichier)
- CopyFileA (Copie d’un fichier)
- FindFirstFileA (listing de répertoire)
- FindNextFileA (listing de répertoire)
Inside the DLL there are also interesting functions:
- connect
- closesocket
- recv
- send
Are there any other files or host-based indicators that you could look on infected systems ?
With the strings command we can show every characters that are inside a binary. We saw that the DLL Kernel32 wasn’t used. Indeed, it was the Kerne132. The L was replace by 1
What network-based indicators could be used to find this malware on infected machines ?
We do the same command on the DLL this time. In the part 4, we show that the DLL was used for networks commands. We discover an IP adress that can be considered like the attacker’s one. This IP is used to communicate with the malware.
What would you guess is the purpose of these files ?
The malware will install a DLL backdoor call Kerne132.dll that will be able to communicate with his C2. The adress of the C2 is 127.26.152.13.
Lab 1-2
This lab uses the files Lab01-02.exe.
Upload the file to http://wwww.VirusTotal.com/. Does it match any existing antivirus definitions ?
Virus Total detected a potential Trojan. The signature of the malware is 8363436878404da0ae3e46991e355b83
55/71 positifs antivirus
Are there any indications that this file is packed or obfuscated ? If so, what are these indicators ? If the file is packed, unpack it if possible.
To see if a malware is packed we will use PEiD. The binary was packed with UPX in his 0.89.6 version.
To unpack this binary, we will use UPX with the -d parameter.
The malware isn’t packed anymore. We can check it by listing all the characters inside the binary or by starting again PEiD.
Do any imports hint at this program’s functionality ? If so, which imports are they and what do they tell you ?
Imports that are made by the malware can be visualize with Dependencies Walker.
ADVAPI32.DLL
- CreateServiceA
- StartServiceCtrlDispatcherA
- OpenSCManagerA
WININET.DLL
- InternetOpenUrlA
- InternetOpenA
With the functions used, we can say the malware use a service that it will connect to Internet.
What host or network-based indicators could be used to identify this malware on infected machines ?
We list all the characters of the binary to see if we can find a URL the malware is connecting to. We discover that the service is call MalService and the malware is connecting to http://malwareanalysisbook.com
We can recover all those informations with IDA.
Lab 1-3
This lab uses the files Lab01-03.exe.
Upload the Lab01-03.exe file to http://virustotal.com/. Does it match any existing antivirus definitions ?
Virus Total detected a potential Trojan. The signature of the malware is 7983a582939924c70e3da2da80fd3352ebc90de7b8c4c427d484ff4ff050f0aec
53/70 positifs antivirus
Are there any indications that this file is packed or obfuscated ? If so what are these indicators ? If the file is packed, unpack it if possible.
In order to see if the malware is packed, we will use PeID
This show us that the malware is packed with FSG in his 1.0 version
We can’t depack this malware with the tools / techniques learnt so far.
Unfortunately, we will skip the next 2 questions..
Lab 1-4
This lab uses the files Lab01-04.exe.
Upload the Lab01-03.exe file to http://virustotal.com/. Does it match any existing antivirus definitions ?
Virus Total detected a potential Trojan/Dropper. The signature of the malware is 0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126
57/71 positifs antivirus
Are there any indications that this file is packed or obfuscated ? If so, what are these indicators ? If the file is packed, unpack it if possible.
Same as others exercices in this lab, we will use PeID.
The malware isn’t packed, the analysis will be easier.
When was this program compiled ?
Virus Total give us the information in the details section once the analysis is done.
Do any imports hint at this program’s functionality ? If so, which imports are they and what do they tell you ?
Dependencies Walker is a great tool to see used DLL and libraries.
3 DLL are used:
- Kernel32
- Advapi32
- Msvcrt
KERNEL32
Interesting functions for a malware amoung those imported:
- LoadLibrary
- OpenProcess
- WinExec
- WriteFile
- CreateFile
- GetWindowsDirectory
ADVAPI32
- AdjustTokenPrivileges
After some research I found that this function could be use to elevate your privileges.
What host or network-based indicators could be used to identify this malware on infected machines ?
We use the strings command to list all the characters inside the binary.
There are two hosts indicators:
- winup.exe
- system32\wupdmgrd.exe
Also, there is one network indicator with the URL: http://practicalmalwareanalysis.com/updater.exe
This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource ?
Inside the resources section we can see the sentence: “This program cannot be run in DOS mode”. This is typicaly what we found when there is a binary inside an other one.
We will try to extract it by copying the raw data in a new file
Then we put this binary inside Dependencies Walker to see what it does.
There is a new DLL:
- URLMONDLL
This DLL import the URLDownloadToFile function.
The malware is able drop a binary that can download a file from http://practicalmalwareanalysis.com/updater.exe and execute it.