Practical Malware Analysis — Chapter 3 — Lab03–2— Solution
Let’s move onto solving the 2nd Lab of Chapter 3. This time we are provided with the DLL file and we have to analyze it.
Starting with the basic static analysis using strings.
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.reloc
GetModuleFileNameA
Sleep
TerminateThread
WaitForSingleObject
GetSystemTime
CreateThread
GetProcAddress
LoadLibraryA
GetLongPathNameA
GetTempPathA
ReadFile
CloseHandle
CreateProcessA
GetStartupInfoA
CreatePipe
GetCurrentDirectoryA
GetLastError
lstrlenA
SetLastError
OutputDebugStringA
KERNEL32.dll
RegisterServiceCtrlHandlerA
RegSetValueExA
RegCreateKeyA
CloseServiceHandle
CreateServiceA
OpenSCManagerA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
DeleteService
OpenServiceA
SetServiceStatus
ADVAPI32.dll
WSASocketA
WS2_32.dll
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA
InternetCloseHandle
WININET.dll
memset
wcstombs
strncpy
strcat
strcpy
atoi
fclose
fflush
??3@YAXPAX@Z
fwrite
fopen
strrchr
??2@YAPAXI@Z
atol
sscanf
strlen
strncat
strstr
_itoa
strchr
__CxxFrameHandler
_EH_prolog
_CxxThrowException
_except_handler3
MSVCRT.dll
??1type_info@@UAE@XZ
free
_initterm
malloc
_adjust_fdiv
_strnicmp
_chdir
_stricmp
Lab03–02.dll
Install
ServiceMain
UninstallService
installA
uninstallA
Y29ubmVjdA==
practicalmalwareanalysis.com
serve.html
dW5zdXBwb3J0
c2xlZXA=
Y21k
cXVpdA==
*/*
Windows XP 6.11
CreateProcessA
kernel32.dll
.exe
GET
HTTP/1.1
%s %s
1234567890123456
quit
exit
getfile
cmd.exe /c
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/
— !>
<! —
.PAX
.PAD
DependOnService
RpcSs
ServiceDll
GetModuleFileName() get dll path
Parameters
Type
Start
ObjectName
LocalSystem
ErrorControl
DisplayName
Description
Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.
ImagePath
%SystemRoot%\System32\svchost.exe -k
SYSTEM\CurrentControlSet\Services\
CreateService(%s) error %d
Intranet Network Awareness (INA+)
%SystemRoot%\System32\svchost.exe -k netsvcs
OpenSCManager()
You specify service name not in Svchost//netsvcs, must be one of following:
RegQueryValueEx(Svchost\netsvcs)
netsvcs
RegOpenKeyEx(%s) KEY_QUERY_VALUE success.
RegOpenKeyEx(%s) KEY_QUERY_VALUE error .
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
IPRIP
uninstall success
OpenService(%s) error 2
OpenService(%s) error 1
uninstall is starting
.?AVtype_info@@
There are lots of strings but the strings we need to focus are
practicalmalwareanalysis.com
RegSetValueExA
RegCreateKeyA
CloseServiceHandle
CreateServiceA
RegCloseKey
RegQueryValueExA
RegOpenKeyExA
DeleteService
OpenServiceA
SetServiceStatus
InternetReadFile
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
InternetConnectA
InternetOpenA
InternetCloseHandle
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
IPRIPinstallA
uninstallA
Now we are moving onward for dynamic analysis. Fire up regshot and take the shot 1. Fire up ApateDNS, ProcMon, Process Explorer after that.
In order to run this DLL file we need to use the rundll32.exe from the system32 in C: drive. We have noticed that this DLL tries to install something via function installA so,
We can clearly see that we are able to run the DLL file. Now take the second shot and compare.
We can see here that a service IPRIP is being created for communication. The registry entry has been added. As now, we know the name of the service we can try to run it.
Once we are done with it. We can clearly see that the practicalmalwareanalysis.com is being requested.
That was all for this. Its time to answer the questions.
Lab 3–2
Analyze the malware found in the file Lab03–02.dll using basic dynamic analysis tools.
Questions
- How can you get this malware to install itself?
We can get this malware installed using the rundll32.exe and by knowing the first argument to install i.e installA in this case.
2. How would you get this malware to run after installation?
Once we are done with installing the malware we can see a new service named IPRIP registry added. We can run it by using the network command in windows.
net start IPRIP
3. How can you find the process under which this malware is running?
In Process Explorer we can click in Find and the provide the name of the DLL and so we get the details under which the malware is running.
4. Which filters could you set in order to use procmon to glean
information?
We can use the pid in this case “1016” to filter everything.
5. What are the malware’s host-based indicators?
The malware installs a service called IPRIP, displays name of Intranet Network Awareness (INA+) along with the description “Depends INA+, Collects and stores network configuration and location information , and notifies applications when this information changes.”
It writes to HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll: %CurrentDirectory%\Lab03–02.dll in the registry for persistence.
6. Are there any useful network-based signatures for this malware?
It tries to connect to “practicalmalwareanalysis.com”.
