Author Image

Infosec Website | CTF Write Up

© 2019 - 2022 Nikj-Fr CC BY-SA 4.0
Built with Hugo ❤️ hyde-hyde.

Practical Malware Analysis - Lab 1

Dec 5, 2020
6 min read

Basic Static Analysis

Lab 1-1

This lab uses the files Lab01-01.exe and Lab01-01.dll.

Upload the files to http://wwww.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signature ?

a) Lab01-01.exe
Virus Total detected a potential Trojan. The signature (MD5) of the malware is bb7425b82141a1c0f7d60e5106676bb1

50/70 positifs antivirus

b) Lab01-01.dll
The signature of the malware is 290934c61de9176ad682ffdd65f0a669

42/67 positifs antivirus

Signature of malware can be generated with WinMD5..

When were these files compiled ?

Theses binaries were compile on 19/12/2010 at 16h16

Are there any indications that either of these files is packed or obfuscated if so, what are these indicators ?

a) PEiD
We start PEiD to see if files are packed or obfuscated. The tool detect that the executable and the DLL were compile with Microsoft Visual C++ 6.0. Currently, there are no obvious footprints of a packer.

image_peid

b) Dependencies Walker
Three DLL are used by the malware, functions that are imported aren’t obfuscated.

  • KERNEL32.DLL
  • MSVCRT.DLL

image_exe

  • WS2_32.DLL

image_dll

c) PEView

PEView allow us to analyze each section of a PE. If the virtual size is close to the disk size then the malware isn’t packed. Nevertheless, if the virtual size is greater than disk size, the malware is packed.

Section Virtual Size Size of raw data
.text 1000 970
.rdata 2B2 1000
.data FC 1000

The memory size isn’t greater than the disk size. To conclude the malware isn’t packed

Do any imports hint at what this malware does ? If so, which imports are they ?

We use Dependencies Walker to list all the imported functions. Some of them can be usefull for a malware:

  • CreateFileA (Création d’un fichier)
  • CopyFileA (Copie d’un fichier)
  • FindFirstFileA (listing de répertoire)
  • FindNextFileA (listing de répertoire)

image_import_exe

Inside the DLL there are also interesting functions:

  • connect
  • closesocket
  • recv
  • send

image_import_dll

Are there any other files or host-based indicators that you could look on infected systems ?

With the strings command we can show every characters that are inside a binary. We saw that the DLL Kernel32 wasn’t used. Indeed, it was the Kerne132. The L was replace by 1

strings_kerne123

What network-based indicators could be used to find this malware on infected machines ?

We do the same command on the DLL this time. In the part 4, we show that the DLL was used for networks commands. We discover an IP adress that can be considered like the attacker’s one. This IP is used to communicate with the malware.

strings_dll

What would you guess is the purpose of these files ?

The malware will install a DLL backdoor call Kerne132.dll that will be able to communicate with his C2. The adress of the C2 is 127.26.152.13.

Lab 1-2

This lab uses the files Lab01-02.exe.

Upload the file to http://wwww.VirusTotal.com/. Does it match any existing antivirus definitions ?

Virus Total detected a potential Trojan. The signature of the malware is 8363436878404da0ae3e46991e355b83

55/71 positifs antivirus

Are there any indications that this file is packed or obfuscated ? If so, what are these indicators ? If the file is packed, unpack it if possible.

To see if a malware is packed we will use PEiD. The binary was packed with UPX in his 0.89.6 version.

packed_binary

To unpack this binary, we will use UPX with the -d parameter.

Téléchargement UPX

unpack_binary

The malware isn’t packed anymore. We can check it by listing all the characters inside the binary or by starting again PEiD.

Do any imports hint at this program’s functionality ? If so, which imports are they and what do they tell you ?

Imports that are made by the malware can be visualize with Dependencies Walker.

import_dll

ADVAPI32.DLL

  • CreateServiceA
  • StartServiceCtrlDispatcherA
  • OpenSCManagerA

imports_functions_advapi32

WININET.DLL

  • InternetOpenUrlA
  • InternetOpenA

imports_functions_wininet

With the functions used, we can say the malware use a service that it will connect to Internet.

What host or network-based indicators could be used to identify this malware on infected machines ?

We list all the characters of the binary to see if we can find a URL the malware is connecting to. We discover that the service is call MalService and the malware is connecting to http://malwareanalysisbook.com

strings

We can recover all those informations with IDA.

ida_service ida_url

Lab 1-3

This lab uses the files Lab01-03.exe.

Upload the Lab01-03.exe file to http://virustotal.com/. Does it match any existing antivirus definitions ?

Virus Total detected a potential Trojan. The signature of the malware is 7983a582939924c70e3da2da80fd3352ebc90de7b8c4c427d484ff4ff050f0aec

53/70 positifs antivirus

Are there any indications that this file is packed or obfuscated ? If so what are these indicators ? If the file is packed, unpack it if possible.

In order to see if the malware is packed, we will use PeID

1_3_peid

This show us that the malware is packed with FSG in his 1.0 version

We can’t depack this malware with the tools / techniques learnt so far.

Unfortunately, we will skip the next 2 questions..

Lab 1-4

This lab uses the files Lab01-04.exe.

Upload the Lab01-03.exe file to http://virustotal.com/. Does it match any existing antivirus definitions ?

Virus Total detected a potential Trojan/Dropper. The signature of the malware is 0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126

57/71 positifs antivirus

Are there any indications that this file is packed or obfuscated ? If so, what are these indicators ? If the file is packed, unpack it if possible.

Same as others exercices in this lab, we will use PeID.

1_4_peid

The malware isn’t packed, the analysis will be easier.

When was this program compiled ?

Virus Total give us the information in the details section once the analysis is done.

1_4_compiled_time

Do any imports hint at this program’s functionality ? If so, which imports are they and what do they tell you ?

Dependencies Walker is a great tool to see used DLL and libraries.

1_4_imports_1

3 DLL are used:

  • Kernel32
  • Advapi32
  • Msvcrt

KERNEL32

1_4_imports_2_kernel

Interesting functions for a malware amoung those imported:

  • LoadLibrary
  • OpenProcess
  • WinExec
  • WriteFile
  • CreateFile
  • GetWindowsDirectory

ADVAPI32

1_4_imports_2_advapi

  • AdjustTokenPrivileges

After some research I found that this function could be use to elevate your privileges.

What host or network-based indicators could be used to identify this malware on infected machines ?

We use the strings command to list all the characters inside the binary.

1_5_strings_indicators

There are two hosts indicators:

  • winup.exe
  • system32\wupdmgrd.exe

Also, there is one network indicator with the URL: http://practicalmalwareanalysis.com/updater.exe

This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource ?

Inside the resources section we can see the sentence: “This program cannot be run in DOS mode”. This is typicaly what we found when there is a binary inside an other one.

1_6_resources

We will try to extract it by copying the raw data in a new file

1_6_resources_2

Then we put this binary inside Dependencies Walker to see what it does.

1_6_resources_3

There is a new DLL:

  • URLMONDLL

This DLL import the URLDownloadToFile function.

The malware is able drop a binary that can download a file from http://practicalmalwareanalysis.com/updater.exe and execute it.

Practical Malware Analysis - Lab 3