Practical Malware Analysis — Chapter 3 — Lab03–04 — Solution
This is going to be the last lab of the Chapter 3. We are provided with the Lab03–04.exe and we need to analyze it using the basic dynamic analysis technique.
The strings reveal the following strings.
!This program cannot be run in DOS mode.
6K4
6KRich
.text
`.rdata
@.data
Microsoft Visual C++ Runtime Library
Runtime Error!
Program:
…
<program name unknown>
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
.com
.bat
.cmd
GetLastActivePopup
GetActiveWindow
MessageBoxA
user32.dll
PATH
CloseHandle
SetFileTime
GetFileTime
CreateFileA
GetSystemDirectoryA
GetLastError
ReadFile
WriteFile
Sleep
GetShortPathNameA
GetModuleFileNameA
CopyFileA
ExpandEnvironmentStringsA
DeleteFileA
KERNEL32.dll
RegQueryValueExA
RegOpenKeyExA
RegSetValueExA
RegCreateKeyExA
RegDeleteValueA
CreateServiceA
CloseServiceHandle
ChangeServiceConfigA
OpenServiceA
OpenSCManagerA
DeleteService
ADVAPI32.dll
ShellExecuteA
SHELL32.dll
WS2_32.dll
ExitProcess
TerminateProcess
GetCurrentProcess
GetTimeZoneInformation
GetSystemTime
GetLocalTime
DuplicateHandle
GetCommandLineA
GetVersion
SetStdHandle
GetFileType
SetHandleCount
GetStdHandle
GetStartupInfoA
CreatePipe
GetExitCodeProcess
WaitForSingleObject
HeapReAlloc
HeapAlloc
GetCPInfo
GetACP
GetOEMCP
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
GetEnvironmentStringsW
GetModuleHandleA
GetEnvironmentVariableA
GetVersionExA
HeapDestroy
HeapCreate
VirtualFree
HeapFree
RtlUnwind
MultiByteToWideChar
GetStringTypeA
GetStringTypeW
SetFilePointer
VirtualAlloc
LCMapStringA
LCMapStringW
GetProcAddress
LoadLibraryA
FlushFileBuffers
GetFileAttributesA
CreateProcessA
CompareStringA
CompareStringW
SetEnvironmentVariableA
lZ@
Configuration
SOFTWARE\Microsoft \XPS
\kernel32.dll
HTTP/1.0
GET
‘`’`’
`’`’`
NOTHING
CMD
DOWNLOAD
UPLOAD
SLEEP
cmd.exe
>> NUL
/c del
ups
http://www.practicalmalwareanalysis.com
Manager Service
.exe
%SYSTEMROOT%\system32\
k:%s h:%s p:%s per:%s
Analyzing the string we can see that we have the URL, we have something called DOWNLOAD, UPLOAD, SLEEP, CMD. Looks like a downloader. Strings are being compared both ASCII and WORD, service manager is being opened. File is being created and removed. Service is being created and removed. System directory structure is being fetched. System Local Time is also being fetched etc. These are a lot more things this executable is doing.
Let’s analyze it using basic dynamic analysis technique.
On running the process CMD is opened and then closed. The CMD with PID 2804 is the one i have opened.
and when i tried to look into the folder the executable is gone. It means that the original executable is replacing itself somewhere else under some other name while removing itself. We can observe the processes via the process monitor and can see that CMD process was created. It did its job and then closed itself.
On closer look we can see the command for deleting the executable as well.
Let’s try to answer the questions for now.
Lab 3–4
Analyze the malware found in the file Lab03–04.exe using basic dynamic analysis tools. (This program is analyzed further in the Chapter 9 labs.)
Questions
- What happens when you run this file?
When we run the file. Process is created which opens up the CMD and then deleted the original executable after making it execute and hide itself somewhere else.
2. What is causing the roadblock in dynamic analysis?
The executable is evasive and trying to evade itself by checking whether the system is VM or not. AV-Detection etc. Obviously this will make it difficult to observer the file via dynamic analysis.
3. Are there other ways to run this program?
The other ways can be to open this executable using Ollydbg or IDA pro where we can analyze it in a more efficient way.