Practical Malware Analysis — Chapter 1 — Lab 01–04 — Solution

This is the last executable we need to analyze provided in the Labs for Chapter 1. Let’s begin!

Let’s analyze it via VirusTotal.

Let’s tally the hashes!

The hashes are correct. Let’s move onto checking whether this executable is packed or not.

This executable does not seems to be packed. Let’s run the strings or you can use BinText (It’s good) for locating the strings :))

We have quite a lot of information regarding the DLL and the functions which are being imported.

Also we can see that three more executables are being accessed and updater.exe is being downloaded from the URL. Let’s take a closer look onto this using DependencyWalker.

NOTE: I personally like to perform a strings along with the grep command to reveal more information. Rather than directly going for the DependencyWalker. The reason? Below are the two screenshots!.

Why strings?

Why DependencyWalker?

I hope it’s clear now ;)

Let’s check the compilation time of this executable by using PEview.

We can clearly see that the compilation time is of FRI 30/08/2019.

Let’s look onto the important functionality of this executable.

LoadResource, FindResource and SizeOfResource are being used to load the data from the resource section.

GetWindowsDirectory is indicating that directories is being checked where the file maybe written to.

WinExec tells that the program is being executed.

CreateFile & WriteFile indicates that a file is being created and written.

AdjustTokenPrivileges function enables or disables privileges.

Moreover we can see that two more programs are being executed!

\winup.exe
\system32\wupdmgrd.exe

The updater is being downloaded from the website!
http://www.practicalmalwareanalysis.com/updater.exe

Let’s answer the questions now!

Lab 1–4

Analyze the file Lab01–04.exe

Questions

a. Upload the Lab01–04.exe file to http://www.VirusTotal.com/. Does it match?

We have uploaded the file and found it malicious.

b. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

The file is not packed at all.

c. When was this program compiled?

This program was compiled on 30/08/2019 but it doesn’t seems to be correct!

d. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Files are being created and written to. Also some other executable’s are being executed and updater is being download from the URL.

e. What host- or network-based indicators could be used to identify this
malware on infected machines?

Host-Based

\winup.exe
\system32\wupdmgrd.exe

Network-Based
http://www.practicalmalwareanalysis.com/updater.exe

f. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

The part d and e are the answers of this part. But let’s use Resource Hacker as we haven’t tried it yet and try to extract the resource!

We can finally save the resource as .bin and load in into PE-Explorer where we can see the compilation time of this resource to be 27/02/2011 :))

That’s all! We are done with Chapter-1. I hope that you have enjoyed :))

Thank You

Cyber Security Enthusiast