Practical Malware Analysis — Chapter 1 — Lab 1-2 — Solution
We have recently completed the Lab1–1 questions and found out that it was a backdoor executable. Now we are moving onward to check the Lab01–02.exe executable and we will be answering the questions.
Let’s firstly check if this executable is malicious or not.
We can see that this file is malicious. This file was created @ 2011–01–19 16:10:41 and fingerprint is as above!
MD5 8363436878404da0ae3e46991e355b83
SHA-1 5a016facbcb77e2009a01ea5c67b39af209c3fcb
Let’s use “HashMyFiles” as it can produce no of hashes for a particular file.
We can see that the hashes are same! Now let’s try to check the strings!
This is the first half and we can clearly see the strings like UPX, UPX0, UPX1, UPX2, UPX3 (UPX is a free and Open-Source Packer for executables) instead of .text, .rdata, .rsrc etc. this probably means that this file is packed. We are able to see URL (http://ysisbook.co), MalService (Mail Service), Internet Explorer 8FEI (Particular Version) being targeted.
In the second half we can see the DLL files and some of their functionalities being imported like InternetOpenA, CreateServiceA, Virtual*, [GetProcAddress, LoadLibraryA] these two are most commonly seen in packed executable’s.
Let’s try running the PEiD on this executable!
We can see that this executable has been packed using UPX1 as found in EP Section. Now we can analyze the PE Header using PEview and we can clearly seen that the sections have been packed/obfuscated.
Now we need to unpack this executable. This can be done by using the PE-Explorer plugins and also you can download the UPX tool from github.
Let’s run the PEiD on this file now!
We have successfully unpacked the executable. Now we can run the PEview to look for the sections!
We are able to see the PE Header sections now and the data they contain. At this moment we can run the strings command to check the strings and also DependencyWalker to check the DLL and their corresponding functionalities which are being imported.
On running the strings we are able to see much much more data!
Now we are getting the clearer view of what this executable might do when executed!
On running the DependencyWalker on this executable we can see that it is importing functions from 4 DLLs.
This executable will be connecting to the http://malwareanalysisbook.com and will run it under the name of MalService.
Now that is enough static analysis on this LAB. Let’s answer the questions!
Lab 1–2
Analyze the file Lab02–02.exe
Questions
- Upload the Lab01–02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
We have uploaded the file and have found that it matched the existing antivirus definitions.
2. Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible?
We found out that this executable was packed and we were also able to unpack it using the UPX tool.
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
a. InternetOpenA → Initializes an application’s use of the WinINet functions we can see what user agent is used to initiate the connection.
b. InternetOpenUrlA → Opens a FTP or HTTP URL
c. CreateMutexA → Create mutex lock to prevent multiple running instances of the malware
d. OpenMutexA → Open a created mutex
e. CreateServiceA → Create a service object to the victim’s machine. Often use for persistence.
f. OpenSCManagerA → called before CreateService is invoked to establish a connection to the service control manager
g. StartServiceCtrlDispatcherA → When the service control manager starts a service process, it waits for the process to call the StartServiceCtrlDispatcher function. The main thread of a service process should make this call as soon as possible after it starts up (within 30 seconds)
As far as i have understood from the details. This executable is connecting to a website and then binding it as a service MalService for persistence. It’s somehow going to be a part of C&C system. Receiving the commands from the web and then executing them on the machine!
4. What host- or network-based indicators could be used to identify this
malware on infected machines?
We can look for the service named MalService via services.msc also we can check for the dnslookups for http://malwareanalysisbook.com/ via a specific Internet Explorer string which will be passed via the browser user-agent FIELD. Moreover we can create a firewall rule to block such traffic.
