Practical Malware Analysis — Chapter 1 — Labs 1–1 — Solution
As we are done with the Chapter-1. It’s time to work on the labs to get most out of our learning. So let’s begin.
Note: I have copied the Labs Details (text) from the book as it is.
Lab 1–1
This lab uses the files Lab01–01.exe and Lab01–01.dll. Use the tools and techniques described in the chapter to gain information about the files and
answer the questions below.
Questions
- Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
Let’s upload both of the files on VirusTotal and tally the result!
We can clearly see that these files have been matched with the previously known signatures and have also been detected as malicious.
2. When were these files compiled?
The compilation time of both file as per the report of VirusTotal is.
Lab01–01.exe → 2010–12–19 16:16:19
Lab01–01.dll → 2010–12–19 16:16:38
We can also find the compilation time using PEview and checking the IMAGE_FILE_HEADER details.
3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
PEiD can be used to find the packed or obfuscated file although we were able to find all the necessary details and the strings. So we conclude that both of these files were not been packed or obfuscated.
4. Do any imports hint at what this malware does? If so, which imports
are they?
Both, the executable and DLL file do imports. Lab01–01.exe does the following imports.
a. KERNEL32.dll — Following functions from this library were called.
CreateFileA → Creates or opens a file or I/O device.
CopyFileA → Copies an existing file to a new file.
CreateFileMappingA → Creates or opens a named or unnamed file mapping object for a specified file.
FindFirstFileA → Searches a directory for a file or subdirectory with a name that matches a specific name (or partial name if wildcards are used).
FindNextFileA → Continues a file search from a previous call.
MapViewOfFile → Maps a view of a file mapping into the address space of a calling process. Malware can make changes to the actual file once it is mapped.
b. MSVCRT.dll → A module containing standard C library functions such as printf, memcpy, and cos. It is a part of the Microsoft C Runtime Library. Non-system processes like msvcrt.dll originate from software you installed on your system.
c. kernel132.dll → Disguised version of original KERNEL32.DLL.
d. Lab01–01.dll → Additional DLL file created for the successful working of Lab01–01.exe executable.
The second file Lab01–01.dll do the following imports.
KERNEL32.dll → Kernel32.dll is the 32-bit dynamic link library found in the Windows operating system kernel. It handles memory management, input/output operations, and interrupts. When Windows boots up, kernel32.dll is loaded into a protected memory space so other applications do not take that space over.
MSVCRT → A module containing standard C library functions such as printf, memcpy, and cos. It is a part of the Microsoft C Runtime Library. Non-system processes like msvcrt.dll originate from software you installed on your system.
WS2_32.dll → The Windows Sockets Library ws2_32.dll, is required by windows and applications to handle network connections.
5. Are there any other files or host-based indicators that you could look for on infected systems?
While finding the strings we found that there is another file named as “Kerne132.dll” which is supposed to be disguised as the “Kernel32.dll”. Also there is another “Lab01–01.DLL” which is not a common OS DLL. So we can look for these files on the system.
6. What network-based indicators could be used to find this malware on
infected machines?
We found an IP address when we checked the string. So we capture all the network traffic from all the systems and can look for the communication that is being done over this IP address.
7. What would you guess is the purpose of these files?
On bringing up all the pieces together we can assume that Lab01–01.exe along with the extension Lab01–01.dll is a malware which creates a backdoor and connects to a C&C server and transfer the critical information. Secondly both of the files are not packed and Lab01–01.exe searches in and from directories and look for a particular files and replaces them with disguised files. Also it imports functions from core KERNEL32.DLL and network based imports to establish the connections. Also uses the exec function which means that it would be executing some other programs/files along with sleep function which waits until a particular statement or piece of code gets executed. This is mostly used in backdoors.