Practical Malware Analysis Chapter 3

Chapter 3

Lab 3-1

Let me start  by saying this chapter is just awesome. To be good at anything you need to know how to use the tools that can make you good and that is exactly what this chapter helps you understand. Unfortunately, I read the chapter about a week before attempting the lab and being that this is my first ever time looking at dynamic analysis I really struggled with the lab tasks on my own. Therefore, don’t be surprised if my answers look very similar to those found in the book.

1)What are this malware’s imports and strings?

I first ran Dependency Walker in order to see what imports are apparent. As you can see below there is only one import which is KERNEL32.DLL being that there is only one import with the function “ExitProcess” there is a good chance this exe is packed.unnamed (1)

Using the strings command we can see some interesting strings such as registry locations, a url, and vmx32to64.exe which with a quick google search is listed as malware.

unnamed (21)unnamed (2)

2 and 3)

To discover host-based and network-based indicators we jump into some dynamic analysis. As mentioned in the book we set up ApataDNS, wireshark, process explorer, process monitor and netcat listener on port 80 and 443.

ApateDNS – used to catch DNS requests and reply with a user defined address such as localhost (127.0.0.1)

Wireshark – used to monitor network traffic

Process explorer – view processes and visualize details of the process

Process monitor – monitors actions taken by processes such as writing files

Netcat – using the -l and -p flags we can listen on a specific port. For our case we want to listen on port 443 (https) so we can see what malware may send or request via https

Once we are setup we then run the Lab03-01.exe and view it in process explorer. Using the View->Show Lower Pane option we can visualize the process in more detail. Scrolling through we can see a listing with the type “mutant” signifying a mutex is being created by this exe.

unnamed (3)

Next we check out process monitor and activate three filters, one to return only events related to the exe, and two others to only include operations related to writeFile and RegSetValue. This will return all events from the exe that either use the function writeFile or set registry values.

unnamed (4)

The results show that the exe creates a file vmx32to64.exe and places it in the directory C:\WINDOWS\system32\ and judging by the file size we can guess that this new exe is likely a replica of the original exe with an altered name. We could check this by taking a hash of each of the files and comparing the hash.

unnamed (5)

The newly created exe in the directory:

unnamed (6)

There was also an event for a RegSetValue  for HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver and upon further analysis shown below we can see that this has the data field for the new exe. Another way we could have found this is with the tool RegShot, where we can see registry edits before and after a baseline is captured. With a quick google search you can determine that this registry location is used to store programs to run on boot. Therefore, this malware would be ran on boot because of the events that took place by the original exe. Deleting the original exe and rebooting would still not remove the malware.

unnamed (7)

Analyzing the netcat traffic we can see some interesting characters. Running the exe a second time revealed different characters and a third time again revealed different characters.

unnamed (8)

With Wireshark we can see the tcp traffic of 256 bytes with the SSL protocol. While it is listed as SSL the contents do not match other samples of SSL traffic.

unnamed (10)

2) What are the malware’s host-based indicators?

The host-based indicators would be the registry change and mutex exe file found above.

3) Are there any useful network-based signatures for this malware? If so, what are they?

256-byte packets being over port 443 (SSL) after resolving DNS for http://www.practicalmalwareanalysis.com is a good indicator of this malware on a machine.

Lab 3-2

1) How can you get this malware to install itself?

Shown below we can see the exported installA function which allows us to install the malware as a service via the command line with “rundll32.exe Lab03-02.dll,installA”.

unnamed (9)

2) How would you get this malware to run after installation?

While looking at the strings output as well as the functions it has available it was quite clear that there was likely going to be some registry modification. Therefore, I setup regshot and took a baseline shot and then installed the malware. Once this was done I took another shot and compared the two. The results are shown below; as we can see this added a service to the registry called IPRIP and set its values.

Now we know how to run this malware after installation, by starting the IPRIP service using “net start IPRIP”

unnamed (11)

unnamed (13)

3) How can you find the process under which this malware is running?

It is important to understand that a DLL relies on an executable to launch. While looking at the registry edits you may notice “svchost.exe -k netscvs” which is likely indicating this malware will be launched inside an svchost.exe process. To verify this we can run the malware and do a search for Lab03-02.dll in Process Explorer with the Find DLL feature.

4) Which filters could you set in order to use procmon to glean information?

In process explorer we are able to find the PID of the service and use that as a filter in procmon.

5) What are the malware’s host-based indicators?

The main host-based indicator is certainly the additional service found within the registry. IPRIP here under the Parameters directory shows us even more proof that this is related to the malware. As you can see it added the serviceDll as the DLL in whatever directory you have the lab file saved. 

unnamed (12)

6) Are there any useful network-based signatures for this malware?

DNS requests from practicalmalwareanalysis.com

unnamed (14)

Using fakenet we are able to view the traffic via http. Here we can see it is sending a GET request for /serve.html via port 80. The user agent consists of our pc name and then Windows XP 6.11.

unnamed (15)

Lab 3-3

Dependency Walker shows many functions that may be of interest

unnamed (16)

1) What do you notice when monitoring this malware with Process Explorer?

What I first noticed was an additional svchost.exe appear. Upon looking at it I then noticed the directory linking to the exe. After noticing this I clicked properties and went to strings to look for any interesting plain text. There was nothing much under image strings however, memory strings consisted of some interesting text. The text gives a pretty good indication that this malware is a keylogger.

unnamed (17)

unnamed (18)

2) Can you identify any live memory modifications?

As discussed in the previous question the image versus memory strings vary greatly. What is important to note with the memory strings is the “practicalmalwareanalysis.log” and the various keyboard function references.

3) What are the malware’s host-based indicators?

By using the PID number as a filter in procmon we were able to see where the practicalmalwareanalysis.log file was being saved. This happened to be the same directory as the malware.

unnamed (19)

4) What is the purpose of this program?

By opening the log file we can prove that this is indeed a keylogger.

unnamed (20)

3-4

Alright let’s end this chapter with some lameness. Being that I’m using this as a gateway into malware analysis I almost always skim through solutions prior to attempting problems. This allows me to get some initial hands-on practice before working on challenges without help; this is just what works for me and helps me learn.

Unfortunately, this lab task is not possible with the current knowledge provided in the book as mentioned in the solutions. Every which way we try to run this exe it will immediately delete itself. 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Create a website or blog at WordPress.com

Up ↑

%d bloggers like this: