Open in app

Sign in

Write

Sign in

Practical Malware Analysis — Chapter 3 — Lab03 -03 — Solution

Kamran Saifullah
3 min readAug 29, 2019

Now we are going to analyze the Lab03–03.exe. Starting with the strings for basic static analysis.

!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc

Microsoft Visual C++ Runtime Library
Runtime Error!
Program:

<program name unknown>
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
=9@
A9@
CloseHandle
VirtualFree
ReadFile
VirtualAlloc
GetFileSize
CreateFileA
ResumeThread
SetThreadContext
WriteProcessMemory
VirtualAllocEx
GetProcAddress
GetModuleHandleA
ReadProcessMemory
GetThreadContext
CreateProcessA
FreeResource
SizeofResource
LockResource
LoadResource
FindResourceA
GetSystemDirectoryA
Sleep
KERNEL32.dll
GetCommandLineA
GetVersion
ExitProcess
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
GetModuleFileNameA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
GetStartupInfoA
HeapDestroy
HeapCreate
HeapFree
RtlUnwind
WriteFile
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
HeapReAlloc
LoadLibraryA
MultiByteToWideChar
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
h-@
\svchost.exe
NtUnmapViewOfSection
ntdll.dll
UNICODE
LOCALIZATION

This seems to be a packed executable. Now we will directly move onto performing the Basic Dynamic Analysis.

On running the malware we can see it in the explorer. But within 2 seconds the actual executable is removed.

The svchost.exe is left abandoned and orphan. On checking the strings in the memory of svchost.exe we find this executable to be a keylogger.

Also we can see that log file is being created. Which for sure will be keeping track of our keystrokes.

Here we have it.

Now it’s time to answer the questions.

Lab 3–3

Execute the malware found in the file Lab03–03.exe while monitoring it using basic dynamic analysis tools in a safe environment.

Questions

1. What do you notice when monitoring this malware with Process Explorer?

We notice that when the malware is run. The actual process is shown which then creates the child process and then removes itself leaving an orphan process.

2. Can you identify any live memory modifications?

We can identify the live memory modifications by looking onto the memory strings as they reveal the strings after the malware is run in the memory. In those strings we can actually see the HOOK and log file from which we concluded that this executable is a Keylogger.

3. What are the malware’s host-based indicators?

The host-based indicators for this malware is the file “practicalmalwareanalysis.log” presence on the system.

4. What is the purpose of this program?

The purpose of this program is to log all of the keystrokes from the keyboard and then save them into the log file.

Security

--

--

Kamran Saifullah

Written by Kamran Saifullah

382 Followers

Malware/RE/Firmware Analysis, App Sec/Off Sec, VAPT, Phishing Simulations/SE | Risk Management, IS Governance, Audits, ISO 27001 LI

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams