Practical Malware Analysis Chapter 1

Chapter 1

LAB 1-1

1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

Looking at each of these files should be a clear indicator to people that these files are not safe.

unnamedunnamed (1)

2. When were these files compiled?

in PEview we found the DLL to have a compiler date of:
And the exe file to have a compiler date of:

unnamed (2)

unnamed (3)

3) Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

No there are no indications of these files being packed of obfuscated. We know this because viewing the files in dependency walker shows common DLL names and a large amount of imports.

unnamed (5)

unnamed (4)

4)  Do any imports hint at what this malware does? If so, which imports are they?

The DLL file shown below reveals the imported functions CreateProcess and Sleep. “Creates a new process and its primary thread. The new process runs in the security context of the calling process.” –https://docs.microsoft.com/en-us/windows/desktop/api/processthreadsapi/nf-processthreadsapi-createprocessa

The sleep function “Suspends the execution of the current thread until the time-out interval elapses.” –https://docs.microsoft.com/en-us/windows/desktop/api/synchapi/nf-synchapi-sleep

These two functions can be used maliciously to start additional processes and have them start after a specified time. Therefore, a user may run an application and not know in 15 minutes something may be going on.

unnamed (6)

Shown below we can see the exe is importing functions from KERNEL32.DLL; as mentioned in the book the functions FindFirstFile and FindNextFile and CopyFile are used to search and copy files on the system. There are likely more functions here that could be used maliciously but based off the text in the chapter these seem to be of major concern.  

Lastly, the DLL WS2_32.DLL is included with the exe which contains functions relating to networking. Therefore this could be utilizing network capabilities for malicious acts.

unnamed (7)

5) Are there any other files or host-based indicators that you could look for on infected systems?

Since we suspect this file to be malicious and realized the capabilities it has such as searching/copying/creating a file as well as network capabilities we can look deeper into this using PEview. If we open up the exe and look through the SECTIION .data we find some interesting plain text. We see reference to C:\windows\system32\kerne132.dll which as you can see is meant to trick users to thinking it is “kernel32.dll”. Looking for this new file would be a host-based indicator.

unnamed (8)

6) What network-based indicators could be used to find this malware on infected machines?

In the DLL we see in the .data section again there is an ip address of 127.26.152.13; what is important to note is that this DLL contained functions related to networking. Therefore we can suspect this is creating a socket connection to an external server with the ip address provided to share data between. Any traffic related to this IP address could be a network-based indicator.

unnamed (9)

7) What would you guess is the purpose of these files?

Based on what we know about the files it is likely that the EXE runs or installs a backdoor on the system and the DLL consists of the backdoor functionality. Since the DLL file has network capabilities as well as the ability to create processes and sleep it is likely this is a backdoor. It can be controlled over the network to create a process allowing an attacker to gain access to the device.

 

LAB 1-2

 

1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

 

On virus total there were plenty of matches indicating this is a malicious file

unnamed (10)

 

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

 

When checking the strings of the exe we see UPX0 UPX1 UPX2 which are indications of UPX packing.

unnamed (11)

Using the upx tool we can unpack this exe:

upx -d lab01-02.exe -o lab01-02_2.exe

unnamed (12)

 

3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

 

KERNEL32.DLL contains ExitProcess which may be of interest but I’m not really sure of its abilities. ADVAPI32.DLL can be used for CreateServiceA to obviously create services, this seems like the biggest issue with this exe to me. Lastly we have WININET.DLL which contains the functions InternetOpenUrlA and InternetOpenA which are used to initalize the WININET functions and open urls. I’m sure you can think of ways this could be used maliciously.

 

4. What host- or network-based indicators could be used to identify this malware on infected machines?

 

Taking another look at the strings of this exe we can see the string “MalService” which is likely a service being created by ADVAPI32.DLL and its CreateServiceA function. Right below this we can see http://malwareanalysisbook.com which we can assume is a webpage the exe is going to access using the InternetOpenUrlA function. Therefore, any network traffic to this url would indicate an infected machine.

unnamed (13)

LAB 1-3

1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

 

unnamed (14)

 

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.This file is very likely packed as the strings response showed only two functions and not much else. Unfortunately at this stage we are only capable of unpacking UPX packs. Depency Walker also revealed the same result

unnamed (15)

 

Also, viewing the virtual space versus raw space we can see across the board that virtual space is much larger than the raw and in the case shown below there is virtual space but zero raw.

unnamed (16)

 

3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

 

4. What host- or network-based indicators could be used to identify this malware on infected machines?

 

 

Unable to do these two parts as we are unable to unpack the file.

 

LAB 1-4

1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

 

unnamed (17)

 

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

 

No clear indications of this file being packed. Determined this by testing and looking for similar to results as found previously in packed files and the examples in the book.

 

3. When was this program compiled?

 

August 30th 2019 being that this time is in the future it is assumed to be fake.

unnamed (18)

 

4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

 

ADVAPI32.dll certainly seems suspicious with functions relatd to privileges and adjusting privileges. KERNEL32.dll contains WinExec, which can execute a file and other functions such as WriteFile, CreateFileA, and those related to functions means this malicious file is likely creating a file and running it. The functions relating to directories such as GetWindowsDirectoryA are another indication that this exe writes files as this function retrieves the path of the windows directory which is the legacy directory to store program files.

unnamed (19)

 

5. What host- or network-based indicators could be used to identify this malware on infected machines?

 

Using the info from the solutions page this was actually quite interesting. The first thing most people will probably notice is from the strings. There you can find the following:

unnamed (20)

This shows us that we will be running an executable and also shows a url that judging by the name is how the malicious file will download new malicious files via the network. What is interesting is how there is no networking related functions being imported. Please look at question 6 to see why this is so.

 

6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

 

What I failed to notice is the initial text in the BIN file shown in PEview, BIN 0065 0409. Using resource hacker we can analyze this BIN file closer. What is important here is the “This program cannot be run in DOS mode.” as this is the initial text for a PE header. This reveals that this BIN is actually a separate executable. To analyze this exe we must use resource hacker to save resources to a BIN file and then we can view it in PEview.

unnamed (21)

Analyzing the BIN file in PEview reveals the functions related to networking and the one in particular being related to the URL in question.

unnamed (22)

One thought on “Practical Malware Analysis Chapter 1

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: