Malware Analysis Series 0x2
Hello You.
In the previous article I wrote about chapter one of the great Practical Malware Analysis book, but today it’s time to solve chapter one challenges, so let’s get going
I’m certain that one of you guys is still looking for the labs (they are in front of you man c’mon) you can find them here, they’re in a git repo use the git clone to download them to your system
Note: before you do any of that as the author said Do not be stupid and use a virtual machine and disable Windows defender, because we are dealing with a malware :3
you will notice that there is only one exe file which is wired, but you are a malware analyst, so let’s see what the heck is that, by using our faviourate tool strings.exe
we have executed strings.exe on it and we can see that it might be the labs, it is actually so let’s run it and do not trust any one even the author so use a virtual machine for god sake.
you accept the license and whatever and then you extract the labs and GG, you have done it.
Now let’s get started with the actual labs, the nice thing about the labs is the author is giving us little or no information about the program to make it as real as possible
Lab 1–1
This lab uses the files Lab01–01.exe and Lab01–01.dll. Use the tools and techniques described in the chapter to gain information about the files and
answer the questions below.
Q1
Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
As you can see most of the malware have signatures for those file
Q2
When were these files compiled?
for this question I’ll use PEview
In the IMAGE_FILE_HEADER you can see that the compile time is 2010/12/19 the same thing goes for the dll file
Q3
Are there any indications that either of these files is packed or obfuscated?
If so, what are these indicators?
as you can see, I used Detect it easy and PEiD and it seems clear with no obfuscation to me
Q4
Do any imports hint at what this malware does? If so, which imports
are they?
Here I used Dependency Walker
Kernel32.dll — This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware. blah blah blah
here we have FindFirstFile & FindNextFile which are used to search through directories, and there is also CopyFile & CreateFile & CreateFileMapping which are all related to file creation and manipulation (copying files) from Lab01-01.exe
here we can see Sleep & CreateProcess which means we need to expect this malware to create another process
Q5
Are there any other files or host-based indicators that you could look for
on infected systems?
Using Strings.exe I saw a wired dll file that is not Kernel32.dll but Kerne132.dll you can see the subtle misspelling there, 1 instead of l(it might be used to hide rogue DLLs in plain sight)
Q6
What network-based indicators could be used to find this malware on
infected machines?
Using strings.exe on the dll file you will see an IP address, this is the only network based indicator I was able to find but it’s enough you maybe not, we’ll figure out in the future
Q7
What would you guess is the purpose of these files?
Based on the knowledge I got from the static analysis I can’t really determine what type of malware is this but since it’s copying files and there is an IP so it might be sending data to the attacker which indicates that this is a Information-stealing malware.
but my answer was totally wrong
but it is totally ok we are learning, this is the answer correct answer: The .dll file is probably a backdoor. The .exe file is used to install or run
the DLL.
and he’s explaining that CreateProcess and Sleep are common in backdoors, so yup take notes so you don’t guess wrong the next time.
Lab 1–2
Analyze the file Lab01–02.exe.
Q1
Upload the Lab01–02.exe file to http://www.VirusTotal.com/. Does it match
any existing antivirus definitions?
Yes it does, and not only that we knew that 55 antivirus have signture for this file but we now know that it is packed and it’s using UPX
Q2
Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible.
Let’s say that we didn’t that it’s packed from virustotal let’s check DIE
DIE it telling us that it is packed so let’s unpack it
I created a backup file before unpacking it but in the next time I’ll probably use -k to keep a backup file
Q3
Do any imports hint at this program’s functionality? If so, which imports
are they and what do they tell you?
Advapi32.dll — This DLL provides access to advanced core Windows components such as the Service Manager and Registry. Wininet.dll — This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP.
No indicators of a GUI so it is a CLI and it is probably creating a service using CreateService which adds a new service to the service control manager, and allows the caller to specify whether the service will start automatically at boot time or must be started manually (maybe for persistence). AndInternetOpen which is a function that initializes an application’s use of the WinINet functions. It enables the application to perform various operations like connecting to URLs, sending HTTP requests, and managing internet connections.
It’s not a backdoor for sure and it’s accessing a website so it might be downloading something, It might be a Downloader but still it is creating a service and it’s using CreateThread. I’m staying with Downloader let me see the answer and come right back
We can’t be sure what this program is doing, but we’ve found some indicators to help search for this malware across a network.
:3
Q4
What host- or network-based indicators could be used to identify this
malware on infected machines?
The URL we found in the strings is the network-based indicator and the host-based it would be the service since it is using CreateService and there is a Malservice in the strings
Sheesh that was a lot of work, btw I’m sorry about the delay I was supposed to publish this yesterday but I had to go to work so yeah you know life I’ll do solve the other labs by myself the only purpose of this article is to teach how i used the tools that I talked about in the previous article.
that’s it thanks for reading :3
