Author Image

Infosec Website | CTF Write Up

© 2019 - 2022 Nikj-Fr CC BY-SA 4.0
Built with Hugo ❤️ hyde-hyde.

Practical Malware Analysis - Lab 6

Jan 5, 2021
7 min read

Recognizing C Code Constructs

Lab 6

The goal of this labs is to help understand the overall functionality of a program by analyzing code constructs.

Lab 6-1

What is the major code construct found in the only subroutine called by main ?

The subroutine called by the main is located at 0x401000.

call_sub_401000

In this function we can see a jz statement. The choice of the path to follow depend on the result of the comparison that his made with EAX. This indicate a if code construct.

if_condition

Following the MSDN page of the API call to InternetGetConnectedState, the function return True if there is Internet and False if the target hasn’t got one.

MSDN_InternetGetConnectedState

If the API call work, EAX = 1, otherwise EAX = 0. When EAX = 0, ZF = 1 and we follow the function at 0x40102B.

What is the subroutine located at 0x40105F ?

This subroutine is call wheter the API call is a success or a failure. Strings are pushed on the stack depending on the result of the API call. I assume that the following subroutine is used to print the value that was push on the top of the stack. We can check this by starting the malware..

malware_6-1_start

What is the purpose of this program ?

This program is used to check if you are connected to internet and print the corresponding message depending on the state.

Lab 6-2

What operation does the first subroutine called by main perform ?

The answer are the same as Lab6-1-1. The first subroutine call is sub_401000

call_sub_401000

The operation is a if statement

if_condition

What is the subroutine located at 0x40117F ?

Before this subroutine, a string is pushed on the top of the stack. We assume that the function is used to print this string in the terminal of the victim, after malware execution.

call_sub_40117F

What does the second subroutine called by main do ?

The second subroutine is located at 0x401040

call_sub_401040

Firstly, there is an API call InternetOpenA which is used to open a web browser. Next, we see the string Internet Explorer. We assume that the malware try to open the IE browser.

internet_open

Secondly, InternetOpenUrlA is used to open a specific URL in the IE browser. The URL load in this function is practicalmalwareanalysis.com/cc.htm

url_open

Thirdly, InternetReadFile is used to read the 0x200 (512) bytes of the cc.htm file.

read_file

What type of code construct is used in this subroutine ?

There are two different paths in this subroutine:

  • The program read the file and check if it is well construct by comparing some bytes.
  • The file can’t be read.

code_construct

We can switch the compare value (in Hex) to ascii. It create an html symbol: <!–. It represents a comment.

comment

Are there any network-based indicators for this program ?

There are two network indicators:

  • URL: “http://practicalmalwareanalysis.com/cc.htm"
  • User-Agent : “Internet Explorer 7.5 /pma”

What is the purpose of this malware ?

The goal of this malware is to check if you are connected to Internet. Then it will open your IE browser and search for http://practicalmalwareanalysis.com/cc.htm url with the user-agent Internet Explorer 7.5 /pma. The file construct is checked to see if it is well form. If it’s the case it will print the first 512 bytes of the file.

Lab 6-3

Compare the calls in main to Lab6-2’s main method. What is the new function called from main ?

The new function called from main is located at 0x401130

call_sub_401130

What parameters does this new function take ?

It take two parameters:

  • Argv = LpExistingFileName = Pointer to the name of the program
  • Var_8 = char

parameters

Following the routine, at the top, IDA confirm what we said.

parameters_2

We are going to find the value of Var_8. At 0x40122D, var_8 is equal to al. AL is the first 8 bits of the EAX register. And the content of EAX is the result of the function at 0x401040 which is the symbol <!– that we saw in the previous lab. 8 bits is equivalent to 1 byte = 1 character. In our case the last character is -.
Var_8 = “-”

parameters_al

What major code construct does this function contain ?

This function contain a switch case. It can take 5 values, each of them have different action. The program use a Jump Table where it reference all the addresses it could jump to.

switch_construct

What can this function do ?

This function can take 5 values depending on the character after the “<!-” symbol that was check on the previous routine. The result is store in EAX. Then EAX is move to ECX. Therefore the letter ‘a’ is substract from ECX. There are 5 possibilities:

  • ECX = ‘a’, the sub will be ‘a’ - ‘a’ = 0 (it substract both hexadecimal value -> 0x61 - 0x61 = 0) The program create a folder call C:\Temp. switch_0

  • ECX = ‘b’, the sub will be ‘b’ - ‘a’ = 1 (0x62 - 0x61) The program copy the malware at C:\Temp, and name it cc.exe. switch_1

  • ECX = ‘c’, the sub will be ‘c’ - ‘a’ = 2 (0x63 - 0x61) The program delete the copy of the malware name cc.exe in the Temp folder. switch_2

  • ECX = ‘d’, the sub will be ’d’ - ‘a’ = 3 (0x64 - 0x61) The program create a register key at Software\Microsoft\Windows\CurrentVersion\Run to persist on the system. The key is call “malware” and link to C:\Temp\cc.exe. switch_3

  • ECX = ’e’, the sub will be ‘e’ - ‘a’ = 4 (0x65 - 0x61) The program sleep during 186A0H (=100000) ms -> 1.40 minutes. switch_4

Are there any host-based indicators for this malware ?

  • The malware copy himself to C:\Temp\cc.exe
  • Add a register key to Software\Microsoft\Windows\CurrentVersion\Run name “malware”

What is the purpose of this malware ?

This malware check if the target have internet. Then it use Internet Explorer to download an html page (http://practicalmalwareanalysis.com/cc.html). It parse the beginning of the program (512 bytes), the result of first bytes must be <!- otherwise it fail. Finally, the character after <!- indicate the state, it could be one of the 5 letters:

  • ‘a’ (case ‘0’) = Create the C:\Temp folder
  • ‘b’ (case ‘1’) = Copy the malware to C:\Temp and call it cc.exe
  • ‘c’ (case ‘2’) = Delete cc.exe
  • ’d’ (case ‘3’) = Create the register key to Software\Microsoft\Windows\CurrentVersion\Run and name it “malware”
  • ’e’ (case ‘4’) = The program sleep for 1.40 minutes

Lab 6-4

What is the difference between the calls made from the main method in Lab6-3 and 6-4 ?

The main function of the Lab6-4.exe contain two new calls:

  • sub_4012B5 = switch construct with a jumptable to control actions.
  • sub_401150 = print the string push on top of the stack (see previously on 6-3)

difference_main

The rest of the program call same subroutine as 6-3.

What new code construct has been added to main ?

There is a For loop that have been added. It check if a variable is greater or equal to 5A0h = 1440. If not, it does things and increment the variable compared by 1. Otherwise the program quit.

loop_construct

What is the difference between this lab’s parse HTML function and those of the previous labs ?

The difference is the use of a new variable (szAgent) and a new parameter (arg_0).

variable_parameter

The variable szAgent take the value of the string *Internet Explorer 7.50/pma%d”. %d is a format string to print a digit. It take the number of loop the program did in main.

Indeed we see in the main function that ECX is push before the call of sub_401040.

digit_push

How long will this program run ?(Assume that it is connected to the Internet)

The program sleep 60 000ms every time it loop. It can loop 1440 times.

60 0000ms * 1440 = 86 400 000 ms
86 400 000ms / 60 = 1 440s
1 440s / 60 = 24h

The program can sleep 24 hours.

sleep

Are there any new network-based indicators for this malware ?

  • User-Agent: Internet Explorer 7.50/pma%d”

What is the purpose of this malware ?

The malware does the same things as 6-3. But there are 2 new components:

  • Work 24 hours before terminating
  • User-Agent is a variable instead of a constant
Practical Malware Analysis - Lab 5 Practical Malware Analysis - Lab 7