Practical Malware Analysis — Chapter 3— Lab03–01 — Solution

Kamran Saifullah
7 min readAug 29, 2019

--

As we have studies the “Basic Dynamic Analysis” theoretically, now it’s time to spend some time with the labs. This article provides you with the solutions of the labs. Let’s try to analyze the Lab03–01 statically and then dynamically!

Previously when we were doing the Basic Static Analysis, we tried to do the following things.

  1. Uploaded the file on VirusTotal
  2. Created a Fingerprint
  3. Analyze the file using PEiD, PEview, PE Explorer, strings!

This time let’s take a look onto another amazing tool which is new to me and is named as PE-Studio and also we are going to use an alternate tool to PEiD named DIE ;)

PE-Studio

Let’s try to examine the file using PE-Studio

We can now see a lot of information. We have the fingerprint of the file. The indicators of this file. We also have the VirusTotal result. Different sections of this executable, libraries and imports being made along with the strings!

When we look onto the strings we can see a lot of information being revealed to us. This executable is trying to connect to a website to perform some actions. Also there is another executable which means that it is being downloaded and executed on the system!

But as always i don’t really rely on one tool and i love to use stings over and over again to confirm things up and we can see that ntdll is also present! which means that this executable is really doing something!

Now if we try to look into this executable using PEview we can see that only one import is being made and this is not providing us with enough information!

Also if we try to look via DependencyWalker we have the same information!

Now this really means that we need to run this executable! but before that let’s grab the information about it’s packer using PEiD

We can see that this executable is packed! Now using another great tool named “Detect It Easy”.

This tool is now being most commonly used. Now moving ahead to analyze the file dynamically!

Tools of the trade ATM

  1. Process Explorer

All the running processes can be seen here. Services are represented in pink. Processes in blue, new processes in green and terminated processes in red.

If we double click on a particular process/service we can find more information.

We can also use the “Verify” option to make sure that particular service/process is signed by Microsoft. As malware’s alter the binaries or signatures we can check them via this option. Similarly the strings can be compared when the file is on DISK and when it is running in the memory. We can get the clue if any memory alterations have occurred.

2. RegShot

This tool allows us to take the first snapshot of the registry before we launch the malware and second snapshot after executing the malware. Then we can compare both results and can find what changes have been made in the registry.

3. NetCat

It is known to be “TCP/IP Swiss Army Knife”. can be used over both inbound and outbound connections for port scanning, tunneling, proxying, port forwarding, and much more. In listen mode, Netcat acts as a server, while in connect mode it acts as a client. Netcat takes data from standard input for transmission over the network. All the data it receives is output to the screen via standard output.

4. Wireshark

Well this tool doesn’t need any introduction ;))

Copying the points which are required for the setup from the “Practical Malware Analysis Book”.

  1. Running procmon and setting a filter on the malware executable name
    and clearing out all events just before running.
  2. Starting Process Explorer.
  3. Gathering a first snapshot of the registry using Regshot.
    Basic Dynamic Analysis
  4. Setting up your virtual network to your liking using INetSim and
    ApateDNS or FakeNET.
  5. Setting up network traffic logging using Wireshark.

NOTE: I am using WinXP Sp3 as Labs 3 were not working on Win7 :))

Analyzing the Lab03–01.exe

Let’s fire up the Regshot and take the first snapshot before we run the executable.

We are done with the Shot 1. Now let’s fire up ProcMon, Process Explorer, ApateDNS and dive into looking what this executable is doing.

Now here we have all the details. We can clearly see that this executable is running in Process Explorer. Also we can see the changes which have been made by this executable in the Process Monitor with SUCCESS along with the connections made to a URL in apateDNS. Now it’s time to take the second RegShot.

Now let’s take a look what RegShot has to say about the changes made by the executable.

Well these are a lot of changes.

Malware more often creates mutexes to prevent malware instances from infecting the same machine over and over again. If an instance of the malware is unable to obtain a handle to the named mutex, then the malware will exit. This mutex can be used to detect hosts which are infected :))

If we take a look onto the DLL files we can clearly see lots of them and some of them are for core network functionality. These DLL’s are being used to connect to the URL.

When we look a closer look onto the registry additions we can see that another executable is being set to run on startup.

Conclusion

We have found that the malware is calling www.practicalmalwareanalysis.com for help. SOFTWARE\Microsoft\Windows\CurrentVersion\Run is the registry entry to stat the malware at startup. WinVMX32 is the name of the mutex that is created to prevent multiple instances of malware from infecting the same system. Moreover VideoDriver is the registry key used. vmx32to64.exe is the malware that gets written and started at the startup.

Lab 3–1

Analyze the malware found in the file Lab03–01.exe using basic dynamic analysis tools.

Questions

  1. What are this malware’s imports and strings?

On analyzing the malware we can only see one DLL file and one function import.

This executable is surely packed and as we have observed from the Basic Dynamic Analysis we can see that this executable does more than it shows here.

Strings v2.53 — Search for ANSI and Unicode strings in binary images.
Copyright © 1999–2016 Mark Russinovich
Sysinternals — www.sysinternals.com

!This program cannot be run in DOS mode.
Rich
.text
`.data
ExitProcess
kernel32.dll
ws2_32
A)|
-~_
“p7
cks=u
ttp=
cks=
CONNECT %s:%i HTTP/1.0
QSRW
?503
200
PWW
thj@h
PWW
VSWRQ
YZ_[^
f5
YZ_[^
D$0
D$0
D$0
D$0
D$0
D$0
|$,
D$0
t$,
D$0
t$,
|$,
D$4
D$4
D$4
D$4
D$4
D$4
D$4
D$4
D$4
D$4
G]=
QVlM
4~v
X:a
3sg
6I*h<8
^-m-m<|<|<|M
o/o/
00U
advapi32
ntdll
user32
Jbh
ww!
1+KY
x{w
#%li
}>*K
40j
QQVP
ucj
jjjjjj
advpack
hk7
~Pj
<2f
StubPath
SOFTWARE\Classes\http\shell\open\commandV
Software\Microsoft\Active Setup\Installed Components\

test
www.practicalmalwareanalysis.com
admin
VideoDriver
WinVMX32-
vmx32to64.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Ph?
V5h
V)V
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
PWj
AppData
j@h
VQj
ViW
V%X_

The strings have revealed some more DLL information and some registry details.

www.practicalmalwareanalysis.com

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

WinVMX32

VideoDriver

vmx32-to64.exe

2. What are the malware’s host-based indicators?

Presence of WinVMX32 mutex.

VideoDriver Registry entry.

Presence of vmx32to64.exe in system32 folder.

3. Are there any useful network-based signatures for this malware? If so,
what are they?

The malware is trying to connect to the URL www.practicalmalwareanalysis.com

So that the filter can be added for the malicious activity.

--

--

Kamran Saifullah
Kamran Saifullah

Written by Kamran Saifullah

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI

No responses yet