Practical Malware Analysis - Lab Write-up

20 minute read

PMALab

Introduction

This details reverse engineering activities and answers for labs contained in the book ‘Practical Malware Analysis’ by Michael Sikorski and Andrew Honig, which is published by No Starch Press. This is a very informative book to learn about malware analysis and comes with a number of binaries to test your reverse engineering skills. I would thoroughly recommend purchasing this book.

Chapter 1. Basic Static Techniques

This details analysis undertaken and answers to the lab questions in Chapter 1.

Lab 1-1

This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below.

Question 1

Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

Answer 1

Using the Malcode Analyst Pack we are able to perform this by simply right clicking the files and selecting VirusTotal. At the time of writing both matched existing antivirus signatures:

lab01-01.exe

  • 35/65 detection rate

lab01-01.dll

  • 28/64 detection rate

Question 2

When were these files compiled?

Answer 2

Using PEview we are able to view this information. The information is found under: IMAGE_NT_HEADERS > IMAGE_FILE_HEADER > Time Date Stamp

Lab01-01.exe

lab01-01.exe compile time - 2010-12-19 Sunday 16:16:19 UTC

Lab01-01.dll

lab01-01.dll compile time - 2010-12-19 Sunday 16:16:38 UTC

Question 3

Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

Answer 3

No, there’s no indicators these files are packed or obfuscated due to the following:

Using PEiD we can identify them as being compiled with Microsoft Visual C++ 6.0.

lab01-01.dll

DLL Compiled

lab01-01.exe

EXE Compiled

Using PEview we can see the virtual size is close to the raw size of the files.

lab01-01.exe

EXE Size

Using the Malcode Analyst Pack we can view “strings” and see there’s plenty of them.

lab01-01.dll and lab01-01.exe File Strings

Question 4

Do any imports hint at what this malware does? If so, which imports are they?

Answer 4

Analysing Lab01-01.exe through Dependency Walker highlighted a number of interesting functions imported from KERNEL32.DLL, these were:

  • CopyFile
  • FindFirstFile
  • FindNextFile

Based on this we can infer that files would likely be searched for on the file system and files would be copied.

Lab01-01.exe Imports

Analysing Lab01-01.dll through Dependency Walker highlighted functions imported from KERNEL32.DLL, these were:

  • CreateProcess
  • Sleep

Lab01-01.dll Imports

Based on this we can infer that the dll would likely spawn a new process and sleep (pause execution) at some stage.

The DLL also had some interesting imports from WS2_32.DLL through the use of the ‘Ordinal Number’.

Lab01-01.dll Network Imports

Matching the Ordinal Number to the associated name, these functions were:

  • closesocket
  • connect
  • htons
  • inet_addr
  • recv
  • send
  • shutdown
  • socket
  • WSAStartup
  • WSACleanup

Based on this we can infer that the program has connects to a network or IP of some kind and opens up a socket to send and receive packets.

Question 5

Are there any other files or host-based indicators that you could look for on infected systems?

Answer 5

Examining the strings contained within Lab01-01.exe more closely reveals that it is referencing a file called C:\windows\system32\kerne132.dll. This is a very subtle misspelling of the legitimate Kernal32.dll file (notice the use of 1 instead of l) because of this it is likely malicious and we am able to use this to search for infected systems.

Lab01-01.exe Strings

Question 6

What network-based indicators could be used to find this malware on infected machines?

Answer 6

Examining the strings contained within Lab01-01.dll more closely reveals that there is what appears to be an IP address. Because of this and the network imports, it is highly likely that this DLL contacts this IP address, and as such we are able to use this to find infected systems which have contacted 127.26.152.13.

Lab01-01.dll Strings

Question 7

What would you guess is the purpose of these files?

Answer 7

Based on everything we’ve enumerated above, we would guess that the executable is used to run the DLL which acts as a backdoor or remote access trojan (RAT). Based on the imports it’s possible the executable searches to see if C:\windows\system32\kerne132.dll exists, and if it doesn’t it may attempt to copy the malicious DLL to C:\windows\system32\kerne132.dll which is used for persistence. Upon executing the DLL, it likely contacts a C2 server at 127.26.152.13.

Lab 1-2

This lab uses the file Lab01-02.exe. Analyze the file Lab01-02.exe.

Question 1

Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Answer 1

Using the Malcode Analyst Pack we are able to perform this by simply right clicking the files and selecting VirusTotal. At the time of writing the file matched existing antivirus signatures:

Lab01-02.exe

lab01-02.exe

  • 45/70 detection rate

Question 2

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Answer 2

Diving in with a different tool called Exeinfo PE, we are able to determine that this file is packed using the Ultimate Packer for eXecutables (UPX). This also gives me some information on how to unpack the executable using UPX.

Lab01-02.exe Exeinfo PE

In addition, we can use VirusTotal to view Section names, properties, a small number of imports, and a section with a raw size significantly smaller than the virtual size which all indicate that this file is packed with UPX.

Lab01-02.exe VirusTotal

Following the unpacking guidance, we can unpack this executable giving to a new file.

Lab01-02.exe Unpacking

upx -d Lab01-02.exe -o Lab01-02-Unpacked.exe

Question 3

Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Answer 3

Analysing Lab01-02.exe through Dependency Walker highlighted the below interesting functions:

WININET.DLL

  • InternetOpenUrl
  • InternetOpen

Lab01-02.exe ININET.DLL

ADVAPI32.DLL

  • CreateService
  • StartServiceCtrlDispatcher
  • OpenSCManager

Lab01-02.exe ADVAPI32.DLL

Based on this we can infer that the executable creates and triggers a service, and that it connects to the internet.

Question 4

What host- or network-based indicators could be used to identify this malware on infected machines?

Answer 4

Looking at the strings of this file shows 2 interesting elements, ‘malservice’ and ‘http://www.malwareanalysisbook.com’.

Lab01-02.exe Strings

Based on this we can assume that searching hosts for the scheduled service called ‘malservice’ and looking at any hosts connectiong to ‘http://www.malwareanalysisbook.com’ would serve as reliable host and network indicators.

Lab 1-3

This lab uses the file Lab01-03.exe. Analyze the file Lab01-03.exe.

Question 1

Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Answer 1

At the time of writing this had an overwhelming number of AV detections.

Lab01-03.exe

55/65 detection

Question 2

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Answer 2

Once again, trying a different tool to keep things fresh, PE Detective revealed that this file was packed this time using FSG.

Lab01-03.exe PE Detective

Using PEiD reveals that there are no import tables for the section like previously seen, which seems extremely strange. The raw hex almost looks like it is supposed to be importing something similar to loadlibrary and getprocaddress.

Lab01-03.exe Packed Library Imports

Looking at this through dependency walker revealed that these were indeed being imported. With only these libraries it is a very good indication that this binary is packed.

Lab01-03.exe Packed Library Imports

Question 3

Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Answer 3

At present the file is packed with FSG, and we are unable to unpack this with the techniques learnt so far.

Question 4

What host- or network-based indicators could be used to identify this malware on infected machines?

Answer 4

At present the file is packed with FSG, and we are unable to unpack this with the techniques learnt so far.

Lab 1-4

This lab uses the file Lab01-04.exe. Analyze the file Lab01-04.exe.

Question 1

Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Answer 1

Getting creative with our VirusTotal submissions, we can check the file hash by using the VirusTotal API and some basic PowerShell. At the time of writing this had 53 detections.

Lab01-04.exe VirusTotal

Question 2

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Answer 2

There are no indications this file is packed or obfuscated, PEiD identifies it was created with Microsoft Visual C++ 6.0, PEview shows similar virtual and raw data size, and dependency walker shows a number of imports.

Question 3

When was this program compiled?

Answer 3

Using PEview we can see this program says it was compiled on the 30th of August 2019, and even as I type this years after the book was published that date is still a week away so this has obviously been faked or ‘timestomped’.

Lab01-04.exe

Question 4

Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Answer 4

Based on the imports from Kernel32 we can see that this will load resources from the file’s resource section and write files to disk. Based on the GetWindowsDirectory function we can assume this will write files to the system directory, and will then execute them due to the WinExec function.

Lab01-04.exe

The imports from Advapi32 indicate that this is attempting to modify or change the token assigned to the execution of this process, presumably to elevate privileges or give extended access rights.

Lab01-04.exe

Question 5

What host-based or network-based indicators could be used to identify this malware on infected machines?

Answer 5

Looking into the strings of this file, we can see an entry for the following host indicators:

  • winup.exe
  • system32\wupdmgrd.exe

The strings also indicate the below network-based url which may be where a malware updater or second stage payload is pulled from.

  • http://practicalmalwareanalysis.com/updater.exe

Lab01-04.exe

Question 6

This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

Answer 6

Looking at this resource through Resource Hacker, we can see that it has a header which indicates it is an embedded executable.

Lab01-04.exe

By saving this as a binary (executable) file, we can then open it in dependency walker and see this is the file which not only contains the winexec imported function of kernel32, but also the URLDownloadToFile function of URLMON.DLL which indicates it will likely download and execute a file.

Lab01-04.exe

Chapter 2. Malware Analysis in Virtual Machines

This chapter had no questions, but rather documented setting up a VM for malware analysis. Broadly speaking the process to follow is below:

  • Create a clean snapshot without any malware.
  • Transfer malware to the VM.
  • Perform analysis from within the VM.
  • Take notes, screenshots, and data from the VM, and move these back to your Host OS.
  • Revert the VM back to the clean snapshot.

Chapter 3. Basic Dynamic Analysis

This details analysis undertaken and answers to the lab questions in Chapter 3.

Lab 3-1

This lab uses the file Lab03-01.exe. Analyse this using basic dynamic analysis tools.

Question 1

What are this malware’s imports and strings?

Answer 1

Looking at a new tool, we’re able to open this up in PE Studio to gain a lot of insight into the file, and determine both its imports and strings.

Based on the low number of imports we can assume this file is packed.

Lab03-01.exe

If we take a look at the strings though we see a number of interesting entries which we typically wouldn’t expect to see on a packed file.

Lab03-01.exe

Question 2

What are the malware’s host-based indicators?

Answer 2

Attempting to run this file within a Windows 7 and Windows 10 VM causes it to crash and fail.

In todays day and age this piece of malware is detected by almost every AV available but also fails to run properly. This is because like a lot of malware it was created with a certain OS in mind (in this case Windows XP).

By running the malware in a Windows XP environment we are able to see what the original functionality of this file was:

Lab03-01.exe

The host based indicators are as follows:

  • A Mutex - AKA Mutual Exclusion (this is essentially a lock on a resource), is created for “WinVMX32”.
  • The malware is copied to a file called “vmx32to64.exe” which is dropped within C:\Windows\System32.
  • A registry key is created at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver for persistence indicating whenever the system starts it should run the copied malware.

Question 3

Are there any useful network-based signatures for this malware? If so, what are they?

Answer 3

By directing our Windows XP traffic through another host we can use a utility such as Fakenet or ApateDNS to intercept the requests.

Lab03-01.exe

Through doing this we can see the below:

  • www[.]practicalmalwareanalysis[.]com is resolved

Had we allowed the malware to establish a connection we would see it sending random beakons of 256 bytes out of random data over port 443.

Lab 3-2

This lab uses the file Lab03-02.dll. Analyse this using basic dynamic analysis tools.

Question 1

How can you get this malware to install itself?

Answer 1

Using PE-bear we are able to easily see the exports of this DLL file. When comparing this with the imports shown in PEview it becomes quite clear that this DLL needs to be installed as a service.

Lab03-02.dll

To further validate our assumptions we can run strings over the DLL. Some key elements of interest are shown below:

Lab03-02.dll

Something to note is the reference to Windows XP 6.11, which means it’s once again likely this was created for, and will only work on, Windows XP.

Back in our Windows XP VM, we’re able to use rundll32.exe and the install exported function to execute this DLL and install it as a service.

rundll32.exe Lab03-02.dll,install

By using regshot we’re easily able to see the registry keys which have been modified by running the DLL.

Lab03-02.dll

Question 2

How would you get this malware to run after installation?

Answer 2

Given this has installed as a service and we know the name is IPRIP we can run it through either the net utility, or SC Tool.

sc start IPRIP
net start IPRIP

Question 3

How can you find the process under which this malware is running?

Answer 3

By searching for the specified DLL, or looking at the DLLs loaded by a process in Process Explorer, we’re able to get the process ID of the svchost process which is running this malware.

Lab03-02.dll

  • 1068

Question 4

Which filters could you set in order to use procmon to glean information?

Answer 4

Because there’s likely to be multiple svchost processes, we can filter by the Process ID to glean information only on the svchost process responsible for running this malware.

Question 5

What are the malware’s host-based indicators?

Answer 5

By examining the service which is created we can get a number of host-based indicators.

Lab03-02.dll

  • IPRIP
  • Intranet Network Awareness (INA+)
  • Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.
  • HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ /v servicedll

Question 6

Are there any useful network-based signatures for this malware?

Answer 6

By running Fakenet on the host we’re able to intercept the malware’s request and determine what it is sending to a remote server. In this case it uses a specified domain name, uses port 80, always fetches a specific file, and uses a custom but unique user agent.

Lab03-02.dll

  • practicalmalwareanalysis[.]com
  • port 80
  • serve.html
  • User-Agent %ComputerName% Windows XP 6.11

It’s at this point that the string previously discovered as ‘Windows XP’ has context.

Lab 3-3

Question 1

What do you notice when monitoring this malware with Process Explorer?

Answer 1

If we monitor this malware with Process Explorer we can see it briefly spawns svchost before both processes vanish.

At this point if we look closer into the memory strings of running svchost processes, we can see that this malware has used process replacement (more commonly known as process hollowing nowadays) to execute under the guise of a svchost process.

Question 2

Can you identify any live memory modifications?

Answer 2

As mentioned by looking into the live memory of svchost we can see the strings differ significantly on disk to what is in memory.

Lab03-03.exe

Question 3

What are the malware’s host-based indicators?

Answer 3

We can see both in memory, and on disk that the malware creates a file called practicalmalwareanalysis.log

Lab03-03.exe

  • practicalmalwareanalysis.log

Question 4

What is the purpose of this program?

Answer 4

By opening wordpad and typing out some content, we can then open up practicalmalwareanalysis.log and see that it has logged all of our keystrokes.

Lab03-03.exe

From this we can conclude that this uses process hollowing to run a keylogger on the infected machine through svchost.exe

Lab 3-4

Question 1

What happens when you run this file?

When we run this file it immediately deletes itself. We can see this event coming from the program spawning a del (delete) command from a command prompt.

Lab03-04.exe

Question 2

What is causing the roadblock in dynamic analysis?

This could be caused by command line parameters needing to be passed to the program, it needing to fetch a particular file from a remote location, it detecting it is in a sandbox, it only targeting a particular timezone, or it only running on a specific domain. Some clues can be found by looking at the program strings.

Lab03-04.exe

Question 3

Are there other ways to run this program?

Attempting to run with the below enumerated through strings still results in the file being deleted, so at this stage we cannot do much more; however, this will be revisited in lab 9.

  • cc
  • re
  • in

Chapter 4. A Crash Course in x86 Disassembly

There are no questions in this chapter, but instead covers the following:

Levels of abstraction

  • Hardware
  • Microcode (firmware)
  • Machine Code
  • Low-level languages
  • High-level languages
  • Interpreted languages

Main Memory

  • Data
  • Code
  • Heap (dynamic memory)
  • Stack

Instructions

  • made of a mneumonic and 0 or more operands
Mnemonic Destination Operand Source Operand
mov ecx 0x42

Opcodes and Endianness

  • x86 uses little-endian format
  • network data uses big-endian format

Operands

  • Immediate operands (fixed values e.g. 0x42)
  • Register operands (e.g. ecx)
  • Memory address operands (e.g. eax)

Registers

x86 processors:

  • General registers used by the CPU at execution
  • Segment registers used to track sections of memory
  • Status flags used to make decisions
  • Instruction pointers used for process flow

x86 EAX Register Breakdown:

  • EAX contains the value 0xA9DC81F5 (32bits)
  • AX contains 81F5 (16bits)
  • AH contains 81 (8 bits)
  • AL contains F5 (8 bits)

EFLAGS Register:

  • ZF: Zero flag, set to 1 when the output of an operation is equal to zero.
  • CF: Carry flag, set to 1 when the output of an operation is too large or too small for the destination operand.
  • SF: Sign flag, set to 1 when the output of an operation is negative, or when the most significant bit is set after an arithmetic operation.
  • TF: Trap flag, when set to one the x86 processor will only execute 1 instruction at a time.

EIP Instruction Pointer:

  • Contains memory address of next instruction to be executed

Simple Instructions

  • Mov (move data around, e.g. into registers or RAM)
    • mov destination, source
    • Operands surrounded by [] are memory references to data
    • mov eax, ebx (copies ebx into eax)
    • mov eax, [0x4037C4] (copies 4 bytes at memory location 0x4037C4 into eax)
    • mov eax, [ebx+esi4] (copies 4 bytes at memory location of the result from the equation ebx+esi4 into the EAX register) -lea (load effective address, similar to mov)
    • put memory address into a location
    • lea eax, [ebx+8]
    • lea eax, [ebx+8] = mov eax, ebx+8 (except the mov command is invalid)
    • useful when calculating values

Arithmetic:

  • sub (subtract value from destination)
    • sub destination, value
  • add (add value to destination)
    • add destination, value
  • inc (increase register by 1)
    • inc register
  • dec (decrease register by 1)
    • dec register
  • mul (multiply EAX by a value and store result in EDX:EAX) - imul is signed version
    • mul value
  • div (divides EDX:EAX by a value and store result in EAX with remainder in EDX) - idiv is signed version
    • div value

x86 Logical Operators:

  • OR
  • AND
  • XOR
  • shr (shift bits right)
    • shr destination count
  • shl (shift bits left)
    • shl destination count
  • ror
    • Similar to sh except bits are rotated to the other end instead of falling off
  • rol
  • nop
    • 0x90, does nothing and goes to next instruction.

Shifting often used instead of multiplication as its faster and doesn’t require registers.

Generally functions containing only xor, or, shl, shr, ror, or rol randomly is a compression or encryption function.

The Stack

  • Memory for functions, local variables and flow control is stored in stack.
  • Last in First Out (LIFO) Structure.
  • ESP = Stack Pointer (Changes as items are pushed on and off)
  • EBP = Base Pointer (Stays constant within function)
  • Stack Instructions.
    • Push
    • Pop
    • Call
    • Leave
    • Enter
    • Ret

Function Calls:

  • Code to perform a specific task.
  • Stack is used the same throughout any given binary.
  • Most common convention is cdecl.
    • Arguments pushed to stack.
    • Call memory_location used to store current instruction onto stack and run function.
    • Function prologue creates space on stack for local variables, and EBP.
    • Function executes.
    • Function epilogue restores stack and EBP, ESP frees local variables. Leave instruction can be used for this.
    • Function calls the ret instruction which pops return address off stack and onto EIP.
    • Stack is adjusted to remove arguments.

Stack Layout:

  • Stack grows upward.
  • Higher memory addresses used first.
  • A new call = A new stack frame.
  • x86 provides instructions for popping and pushing.
    • pusha (Pushes 16-bit registers on stack in this order: AX, CX, DX, BX, SP, BP, SI, DI)
    • pushad (Pushes 32-bit registers on the stack in this order: EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI)
    • popa
    • popad
  • pusha/pushad are typically seen in shellcode and often indicate hand coded shellcode/assembly.

Conditionals

  • test (identical to AND, except operands are not modified)
  • cmp (identical to SUB, except operands are not modified)
    • ZF and CF may be modified as a result of cmp.

Branching

  • Code executed depending on flow of the program.
  • Most popular way is with jump instructions.
  • jmp
    • unconditional jump
  • More than 30 types of conditional jumps exist, but only subset commonly seen.
    • jz loc (Jump if ZF. Jump to location if ZF = 1)
    • jnz loc (Jump if Not ZF. Jump to location if ZF = 0)
    • je loc (Jump if Equal. Generally after cmp, jumps if destination operand = source operand)
    • jne loc (Jump if Not Equal. Generally after cmp, jumps if destination operand != source operand)
    • jg loc (Jump if Greater. Signed jump after cmp, jumps if destination operation > source operand)
    • jge loc (Jump if Greater or Equal. Signed jump after cmp, jumps if destination operand >= source operand)
    • ja loc (Jump if A. Unsigned jump, same as jg)
    • jae loc (Jump if A or Equal. Unsigned jump, same as jge)
    • jl loc (Jump if Less. Signed jump after cmp, jumps if destination operand is < source operand)
    • jle loc (Jump if Less or Equal. Signed jump after a cmp, jumps if destination operand is <= source operand)
    • jb loc (Jump if B. Unsigned jump, same as jl)
    • jbe loc (Jump if B or Equal. Unsigned jump, same as jle)
    • jo loc (Jump if OF. Jumps if previous instruction set the Overflow Flag)
    • js loc (Jump if SF. Jumps if the Sign Flag is set)
    • jecxz loc (Jump if not ECX. Jumps if ECX = 0)

Rep Instructions

  • Used for manipulating data buffers.
  • Usually array of bytes (b) or single (w) or double (d) words.
  • Most common instructions:
    • movs[b-w-d]
    • cmps[b-w-d]
    • stos[b-w-d]
    • scas[b-w-d]
  • ESI/EDI used in these operations.
  • ESI = Source, EDI = Destination, ECX = Counting variable.
  • rep will continue until ECX = 0.
  • repe/repz/repne/repnz will continue until ECX = 0 or ZF = 1 or 0.
Instruction Description
rep Repeat until ECX = 0
rep Repeat until ECX = 0
repe, repz Repeat until ECX = 0 or ZF = 0
repne, repnz Repeat until ECX = 0 or ZF = 1

More TBA.

C Main Methods and Offsets

More TBA.

Chapter 5. IDA Pro

TBA

Chapter 6. Recognizing C Code Constructs in Assembly

TBA

Chapter 7. Analyzing Malicious Windows Programs

TBA

Chapter 8. Debugging

TBA

Chapter 9. OllyDbg

TBA

Chapter 10. Kernel Debugging with WinDbg

TBA

Chapter 11. Malware Behavior

TBA

Chapter 12. Covert Malware Launching

TBA

Chapter 13. Data Encoding

TBA

Chapter 14. Malware-Focussed Network Signatures

TBA

Chapter 15. Anti-Disassembly

TBA

Chapter 16. Anti-Debugging

TBA

Chapter 17. Anti-Virtual Machine Techniques

TBA

Chapter 18. Packers and Unpacking

TBA

Chapter 19. Shellcode Analysis

TBA

Chapter 20. C++ Analysis

TBA

Chapter 21. 64-Bit Malware

TBA