Practical Malware Analysis - Lab Write-up

47 minute read

PMALab

Introduction

This details reverse engineering activities and answers for labs contained in the book ‘Practical Malware Analysis’ by Michael Sikorski and Andrew Honig, which is published by No Starch Press. This is a very informative book to learn about malware analysis and comes with a number of binaries to test your reverse engineering skills. I would thoroughly recommend purchasing this book.

Chapter 1. Basic Static Techniques

This details analysis undertaken and answers to the lab questions in Chapter 1.

Lab 1-1

This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below.

Question 1

Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

Answer 1

Using the Malcode Analyst Pack we are able to perform this by simply right clicking the files and selecting VirusTotal. At the time of writing both matched existing antivirus signatures:

lab01-01.exe

  • 35/65 detection rate

lab01-01.dll

  • 28/64 detection rate

Question 2

When were these files compiled?

Answer 2

Using PEview we are able to view this information. The information is found under: IMAGE_NT_HEADERS > IMAGE_FILE_HEADER > Time Date Stamp

Lab01-01.exe

lab01-01.exe compile time - 2010-12-19 Sunday 16:16:19 UTC

Lab01-01.dll

lab01-01.dll compile time - 2010-12-19 Sunday 16:16:38 UTC

Question 3

Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

Answer 3

No, there’s no indicators these files are packed or obfuscated due to the following:

Using PEiD we can identify them as being compiled with Microsoft Visual C++ 6.0.

lab01-01.dll

DLL Compiled

lab01-01.exe

EXE Compiled

Using PEview we can see the virtual size is close to the raw size of the files.

lab01-01.exe

EXE Size

Using the Malcode Analyst Pack we can view “strings” and see there’s plenty of them.

lab01-01.dll and lab01-01.exe File Strings

Question 4

Do any imports hint at what this malware does? If so, which imports are they?

Answer 4

Analysing Lab01-01.exe through Dependency Walker highlighted a number of interesting functions imported from KERNEL32.DLL, these were:

  • CopyFile
  • FindFirstFile
  • FindNextFile

Based on this we can infer that files would likely be searched for on the file system and files would be copied.

Lab01-01.exe Imports

Analysing Lab01-01.dll through Dependency Walker highlighted functions imported from KERNEL32.DLL, these were:

  • CreateProcess
  • Sleep

Lab01-01.dll Imports

Based on this we can infer that the dll would likely spawn a new process and sleep (pause execution) at some stage.

The DLL also had some interesting imports from WS2_32.DLL through the use of the ‘Ordinal Number’.

Lab01-01.dll Network Imports

Matching the Ordinal Number to the associated name, these functions were:

  • closesocket
  • connect
  • htons
  • inet_addr
  • recv
  • send
  • shutdown
  • socket
  • WSAStartup
  • WSACleanup

Based on this we can infer that the program has connects to a network or IP of some kind and opens up a socket to send and receive packets.

Question 5

Are there any other files or host-based indicators that you could look for on infected systems?

Answer 5

Examining the strings contained within Lab01-01.exe more closely reveals that it is referencing a file called C:\windows\system32\kerne132.dll. This is a very subtle misspelling of the legitimate Kernal32.dll file (notice the use of 1 instead of l) because of this it is likely malicious and we am able to use this to search for infected systems.

Lab01-01.exe Strings

Question 6

What network-based indicators could be used to find this malware on infected machines?

Answer 6

Examining the strings contained within Lab01-01.dll more closely reveals that there is what appears to be an IP address. Because of this and the network imports, it is highly likely that this DLL contacts this IP address, and as such we are able to use this to find infected systems which have contacted 127.26.152.13.

Lab01-01.dll Strings

Question 7

What would you guess is the purpose of these files?

Answer 7

Based on everything we’ve enumerated above, we would guess that the executable is used to run the DLL which acts as a backdoor or remote access trojan (RAT). Based on the imports it’s possible the executable searches to see if C:\windows\system32\kerne132.dll exists, and if it doesn’t it may attempt to copy the malicious DLL to C:\windows\system32\kerne132.dll which is used for persistence. Upon executing the DLL, it likely contacts a C2 server at 127.26.152.13.

Lab 1-2

This lab uses the file Lab01-02.exe. Analyze the file Lab01-02.exe.

Question 1

Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Answer 1

Using the Malcode Analyst Pack we are able to perform this by simply right clicking the files and selecting VirusTotal. At the time of writing the file matched existing antivirus signatures:

Lab01-02.exe

lab01-02.exe

  • 45/70 detection rate

Question 2

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Answer 2

Diving in with a different tool called Exeinfo PE, we are able to determine that this file is packed using the Ultimate Packer for eXecutables (UPX). This also gives me some information on how to unpack the executable using UPX.

Lab01-02.exe Exeinfo PE

In addition, we can use VirusTotal to view Section names, properties, a small number of imports, and a section with a raw size significantly smaller than the virtual size which all indicate that this file is packed with UPX.

Lab01-02.exe VirusTotal

Following the unpacking guidance, we can unpack this executable giving to a new file.

Lab01-02.exe Unpacking

upx -d Lab01-02.exe -o Lab01-02-Unpacked.exe

Question 3

Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Answer 3

Analysing Lab01-02.exe through Dependency Walker highlighted the below interesting functions:

WININET.DLL

  • InternetOpenUrl
  • InternetOpen

Lab01-02.exe ININET.DLL

ADVAPI32.DLL

  • CreateService
  • StartServiceCtrlDispatcher
  • OpenSCManager

Lab01-02.exe ADVAPI32.DLL

Based on this we can infer that the executable creates and triggers a service, and that it connects to the internet.

Question 4

What host- or network-based indicators could be used to identify this malware on infected machines?

Answer 4

Looking at the strings of this file shows 2 interesting elements, ‘malservice’ and ‘http://www.malwareanalysisbook.com’.

Lab01-02.exe Strings

Based on this we can assume that searching hosts for the scheduled service called ‘malservice’ and looking at any hosts connectiong to ‘http://www.malwareanalysisbook.com’ would serve as reliable host and network indicators.

Lab 1-3

This lab uses the file Lab01-03.exe. Analyze the file Lab01-03.exe.

Question 1

Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Answer 1

At the time of writing this had an overwhelming number of AV detections.

Lab01-03.exe

55/65 detection

Question 2

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Answer 2

Once again, trying a different tool to keep things fresh, PE Detective revealed that this file was packed this time using FSG.

Lab01-03.exe PE Detective

Using PEiD reveals that there are no import tables for the section like previously seen, which seems extremely strange. The raw hex almost looks like it is supposed to be importing something similar to loadlibrary and getprocaddress.

Lab01-03.exe Packed Library Imports

Looking at this through dependency walker revealed that these were indeed being imported. With only these libraries it is a very good indication that this binary is packed.

Lab01-03.exe Packed Library Imports

Question 3

Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Answer 3

At present the file is packed with FSG, and we are unable to unpack this with the techniques learnt so far.

Question 4

What host- or network-based indicators could be used to identify this malware on infected machines?

Answer 4

At present the file is packed with FSG, and we are unable to unpack this with the techniques learnt so far.

Lab 1-4

This lab uses the file Lab01-04.exe. Analyze the file Lab01-04.exe.

Question 1

Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

Answer 1

Getting creative with our VirusTotal submissions, we can check the file hash by using the VirusTotal API and some basic PowerShell. At the time of writing this had 53 detections.

Lab01-04.exe VirusTotal

Question 2

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Answer 2

There are no indications this file is packed or obfuscated, PEiD identifies it was created with Microsoft Visual C++ 6.0, PEview shows similar virtual and raw data size, and dependency walker shows a number of imports.

Question 3

When was this program compiled?

Answer 3

Using PEview we can see this program says it was compiled on the 30th of August 2019, and even as I type this years after the book was published that date is still a week away so this has obviously been faked or ‘timestomped’.

Lab01-04.exe

Question 4

Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Answer 4

Based on the imports from Kernel32 we can see that this will load resources from the file’s resource section and write files to disk. Based on the GetWindowsDirectory function we can assume this will write files to the system directory, and will then execute them due to the WinExec function.

Lab01-04.exe

The imports from Advapi32 indicate that this is attempting to modify or change the token assigned to the execution of this process, presumably to elevate privileges or give extended access rights.

Lab01-04.exe

Question 5

What host-based or network-based indicators could be used to identify this malware on infected machines?

Answer 5

Looking into the strings of this file, we can see an entry for the following host indicators:

  • winup.exe
  • system32\wupdmgrd.exe

The strings also indicate the below network-based url which may be where a malware updater or second stage payload is pulled from.

  • http://practicalmalwareanalysis.com/updater.exe

Lab01-04.exe

Question 6

This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

Answer 6

Looking at this resource through Resource Hacker, we can see that it has a header which indicates it is an embedded executable.

Lab01-04.exe

By saving this as a binary (executable) file, we can then open it in dependency walker and see this is the file which not only contains the winexec imported function of kernel32, but also the URLDownloadToFile function of URLMON.DLL which indicates it will likely download and execute a file.

Lab01-04.exe

Chapter 2. Malware Analysis in Virtual Machines

This chapter had no questions, but rather documented setting up a VM for malware analysis. Broadly speaking the process to follow is below:

  • Create a clean snapshot without any malware.
  • Transfer malware to the VM.
  • Perform analysis from within the VM.
  • Take notes, screenshots, and data from the VM, and move these back to your Host OS.
  • Revert the VM back to the clean snapshot.

Chapter 3. Basic Dynamic Analysis

This details analysis undertaken and answers to the lab questions in Chapter 3.

Lab 3-1

This lab uses the file Lab03-01.exe. Analyse this using basic dynamic analysis tools.

Question 1

What are this malware’s imports and strings?

Answer 1

Looking at a new tool, we’re able to open this up in PE Studio to gain a lot of insight into the file, and determine both its imports and strings.

Based on the low number of imports we can assume this file is packed.

Lab03-01.exe

If we take a look at the strings though we see a number of interesting entries which we typically wouldn’t expect to see on a packed file.

Lab03-01.exe

Question 2

What are the malware’s host-based indicators?

Answer 2

Attempting to run this file within a Windows 7 and Windows 10 VM causes it to crash and fail.

In todays day and age this piece of malware is detected by almost every AV available but also fails to run properly. This is because like a lot of malware it was created with a certain OS in mind (in this case Windows XP).

By running the malware in a Windows XP environment we are able to see what the original functionality of this file was:

Lab03-01.exe

The host based indicators are as follows:

  • A Mutex - AKA Mutual Exclusion (this is essentially a lock on a resource), is created for “WinVMX32”.
  • The malware is copied to a file called “vmx32to64.exe” which is dropped within C:\Windows\System32.
  • A registry key is created at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver for persistence indicating whenever the system starts it should run the copied malware.

Question 3

Are there any useful network-based signatures for this malware? If so, what are they?

Answer 3

By directing our Windows XP traffic through another host we can use a utility such as Fakenet or ApateDNS to intercept the requests.

Lab03-01.exe

Through doing this we can see the below:

  • www[.]practicalmalwareanalysis[.]com is resolved

Had we allowed the malware to establish a connection we would see it sending random beakons of 256 bytes out of random data over port 443.

Lab 3-2

This lab uses the file Lab03-02.dll. Analyse this using basic dynamic analysis tools.

Question 1

How can you get this malware to install itself?

Answer 1

Using PE-bear we are able to easily see the exports of this DLL file. When comparing this with the imports shown in PEview it becomes quite clear that this DLL needs to be installed as a service.

Lab03-02.dll

To further validate our assumptions we can run strings over the DLL. Some key elements of interest are shown below:

Lab03-02.dll

Something to note is the reference to Windows XP 6.11, which means it’s once again likely this was created for, and will only work on, Windows XP.

Back in our Windows XP VM, we’re able to use rundll32.exe and the install exported function to execute this DLL and install it as a service.

rundll32.exe Lab03-02.dll,install

By using regshot we’re easily able to see the registry keys which have been modified by running the DLL.

Lab03-02.dll

Question 2

How would you get this malware to run after installation?

Answer 2

Given this has installed as a service and we know the name is IPRIP we can run it through either the net utility, or SC Tool.

sc start IPRIP
net start IPRIP

Question 3

How can you find the process under which this malware is running?

Answer 3

By searching for the specified DLL, or looking at the DLLs loaded by a process in Process Explorer, we’re able to get the process ID of the svchost process which is running this malware.

Lab03-02.dll

  • 1068

Question 4

Which filters could you set in order to use procmon to glean information?

Answer 4

Because there’s likely to be multiple svchost processes, we can filter by the Process ID to glean information only on the svchost process responsible for running this malware.

Question 5

What are the malware’s host-based indicators?

Answer 5

By examining the service which is created we can get a number of host-based indicators.

Lab03-02.dll

  • IPRIP
  • Intranet Network Awareness (INA+)
  • Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.
  • HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ /v servicedll

Question 6

Are there any useful network-based signatures for this malware?

Answer 6

By running Fakenet on the host we’re able to intercept the malware’s request and determine what it is sending to a remote server. In this case it uses a specified domain name, uses port 80, always fetches a specific file, and uses a custom but unique User-Agent.

Lab03-02.dll

  • practicalmalwareanalysis[.]com
  • port 80
  • serve.html
  • User-Agent %ComputerName% Windows XP 6.11

It’s at this point that the string previously discovered as ‘Windows XP’ has context.

Lab 3-3

Question 1

What do you notice when monitoring this malware with Process Explorer?

Answer 1

If we monitor this malware with Process Explorer we can see it briefly spawns svchost before both processes vanish.

At this point if we look closer into the memory strings of running svchost processes, we can see that this malware has used process replacement (more commonly known as process hollowing nowadays) to execute under the guise of a svchost process.

Question 2

Can you identify any live memory modifications?

Answer 2

As mentioned by looking into the live memory of svchost we can see the strings differ significantly on disk to what is in memory.

Lab03-03.exe

Question 3

What are the malware’s host-based indicators?

Answer 3

We can see both in memory, and on disk that the malware creates a file called practicalmalwareanalysis.log

Lab03-03.exe

  • practicalmalwareanalysis.log

Question 4

What is the purpose of this program?

Answer 4

By opening wordpad and typing out some content, we can then open up practicalmalwareanalysis.log and see that it has logged all of our keystrokes.

Lab03-03.exe

From this we can conclude that this uses process hollowing to run a keylogger on the infected machine through svchost.exe

Lab 3-4

Question 1

What happens when you run this file?

Answer 1

When we run this file it immediately deletes itself. We can see this event coming from the program spawning a del (delete) command from a command prompt.

Lab03-04.exe

Question 2

What is causing the roadblock in dynamic analysis?

Answer 2

This could be caused by command line parameters needing to be passed to the program, it needing to fetch a particular file from a remote location, it detecting it is in a sandbox, it only targeting a particular timezone, or it only running on a specific domain. Some clues can be found by looking at the program strings.

Lab03-04.exe

Question 3

Are there other ways to run this program?

Answer 3

Attempting to run with the below enumerated through strings still results in the file being deleted, so at this stage we cannot do much more; however, this will be revisited in lab 9.

  • cc
  • re
  • in

Chapter 4. A Crash Course in x86 Disassembly

There are no questions in this chapter, but instead covers the following:

Levels of abstraction

  • Hardware
  • Microcode (firmware)
  • Machine Code
  • Low-level languages
  • High-level languages
  • Interpreted languages

Main Memory

  • Data
  • Code
  • Heap (dynamic memory)
  • Stack

Instructions

  • made of a mneumonic and 0 or more operands
Mnemonic Destination Operand Source Operand
mov ecx 0x42

Opcodes and Endianness

  • x86 uses little-endian format
  • network data uses big-endian format

Operands

  • Immediate operands (fixed values e.g. 0x42)
  • Register operands (e.g. ecx)
  • Memory address operands (e.g. eax)

Registers

x86 processors:

  • General registers used by the CPU at execution
  • Segment registers used to track sections of memory
  • Status flags used to make decisions
  • Instruction pointers used for process flow

x86 EAX Register Breakdown:

  • EAX contains the value 0xA9DC81F5 (32bits)
  • AX contains 81F5 (16bits)
  • AH contains 81 (8 bits)
  • AL contains F5 (8 bits)

EFLAGS Register:

  • ZF: Zero flag, set to 1 when the output of an operation is equal to zero.
  • CF: Carry flag, set to 1 when the output of an operation is too large or too small for the destination operand.
  • SF: Sign flag, set to 1 when the output of an operation is negative, or when the most significant bit is set after an arithmetic operation.
  • TF: Trap flag, when set to one the x86 processor will only execute 1 instruction at a time.

EIP Instruction Pointer:

  • Contains memory address of next instruction to be executed

Simple Instructions

  • Mov (move data around, e.g. into registers or RAM)
    • mov destination, source
    • Operands surrounded by [] are memory references to data
    • mov eax, ebx (copies ebx into eax)
    • mov eax, [0x4037C4] (copies 4 bytes at memory location 0x4037C4 into eax)
    • mov eax, [ebx+esi4] (copies 4 bytes at memory location of the result from the equation ebx+esi4 into the EAX register) -lea (load effective address, similar to mov)
    • put memory address into a location
    • lea eax, [ebx+8]
    • lea eax, [ebx+8] = mov eax, ebx+8 (except the mov command is invalid)
    • useful when calculating values

Arithmetic:

  • sub (subtract value from destination)
    • sub destination, value
  • add (add value to destination)
    • add destination, value
  • inc (increase register by 1)
    • inc register
  • dec (decrease register by 1)
    • dec register
  • mul (multiply EAX by a value and store result in EDX:EAX) - imul is signed version
    • mul value
  • div (divides EDX:EAX by a value and store result in EAX with remainder in EDX) - idiv is signed version
    • div value

x86 Logical Operators:

  • OR
  • AND
  • XOR
  • shr (shift bits right)
    • shr destination count
  • shl (shift bits left)
    • shl destination count
  • ror
    • Similar to sh except bits are rotated to the other end instead of falling off
  • rol
  • nop
    • 0x90, does nothing and goes to next instruction.

Shifting often used instead of multiplication as its faster and doesn’t require registers.

Generally functions containing only xor, or, shl, shr, ror, or rol randomly is a compression or encryption function.

The Stack

  • Memory for functions, local variables and flow control is stored in stack.
  • Last in First Out (LIFO) Structure.
  • ESP = Stack Pointer (Changes as items are pushed on and off)
  • EBP = Base Pointer (Stays constant within function)
  • Stack Instructions.
    • Push
    • Pop
    • Call
    • Leave
    • Enter
    • Ret

Function Calls:

  • Code to perform a specific task.
  • Stack is used the same throughout any given binary.
  • Most common convention is cdecl.
    • Arguments pushed to stack.
    • Call memory_location used to store current instruction onto stack and run function.
    • Function prologue creates space on stack for local variables, and EBP.
    • Function executes.
    • Function epilogue restores stack and EBP, ESP frees local variables. Leave instruction can be used for this.
    • Function calls the ret instruction which pops return address off stack and onto EIP.
    • Stack is adjusted to remove arguments.

Stack Layout:

  • Stack grows upward.
  • Higher memory addresses used first.
  • A new call = A new stack frame.
  • x86 provides instructions for popping and pushing.
    • pusha (Pushes 16-bit registers on stack in this order: AX, CX, DX, BX, SP, BP, SI, DI)
    • pushad (Pushes 32-bit registers on the stack in this order: EAX, ECX, EDX, EBX, ESP, EBP, ESI, EDI)
    • popa
    • popad
  • pusha/pushad are typically seen in shellcode and often indicate hand coded shellcode/assembly.

Conditionals

  • test (identical to AND, except operands are not modified)
  • cmp (identical to SUB, except operands are not modified)
    • ZF and CF may be modified as a result of cmp.

Branching

  • Code executed depending on flow of the program.
  • Most popular way is with jump instructions.
  • jmp
    • unconditional jump
  • More than 30 types of conditional jumps exist, but only subset commonly seen.
    • jz loc (Jump if ZF. Jump to location if ZF = 1)
    • jnz loc (Jump if Not ZF. Jump to location if ZF = 0)
    • je loc (Jump if Equal. Generally after cmp, jumps if destination operand = source operand)
    • jne loc (Jump if Not Equal. Generally after cmp, jumps if destination operand != source operand)
    • jg loc (Jump if Greater. Signed jump after cmp, jumps if destination operation > source operand)
    • jge loc (Jump if Greater or Equal. Signed jump after cmp, jumps if destination operand >= source operand)
    • ja loc (Jump if A. Unsigned jump, same as jg)
    • jae loc (Jump if A or Equal. Unsigned jump, same as jge)
    • jl loc (Jump if Less. Signed jump after cmp, jumps if destination operand is < source operand)
    • jle loc (Jump if Less or Equal. Signed jump after a cmp, jumps if destination operand is <= source operand)
    • jb loc (Jump if B. Unsigned jump, same as jl)
    • jbe loc (Jump if B or Equal. Unsigned jump, same as jle)
    • jo loc (Jump if OF. Jumps if previous instruction set the Overflow Flag)
    • js loc (Jump if SF. Jumps if the Sign Flag is set)
    • jecxz loc (Jump if not ECX. Jumps if ECX = 0)

Rep Instructions

  • Used for manipulating data buffers.
  • Usually array of bytes (b) or single (w) or double (d) words.
  • Most common instructions:
    • movs[b-w-d]
    • cmps[b-w-d]
    • stos[b-w-d]
    • scas[b-w-d]
  • ESI/EDI used in these operations.
  • ESI = Source, EDI = Destination, ECX = Counting variable.
  • rep will continue until ECX = 0.
  • repe/repz/repne/repnz will continue until ECX = 0 or ZF = 1 or 0.
Instruction Description
rep Repeat until ECX = 0
repe, repz Repeat until ECX = 0 or ZF = 0
repne, repnz Repeat until ECX = 0 or ZF = 1

movsb is used to move bytes from 1 location to the next. Rep movsb is equivalent of memcopy in C. Movsb takes byte at ESI and stores it at EDI and increments/decrements ESI and EDI registers based on DF (Direction Flag). DF @ 0 = incremented, else decremented.

cmpsb is used to compare 2 sequences of bytes. It subtracts value at EDI from ESI and updates the flags. Cmpsb takes byte at ESI, compares to value at EDI and increments ESI/EDI registers by 1. Bundling this with rep is equivalent to memcmp in C.

scasb is used to search for 1 value in a sequence of bytes as defined within AL register. Compares ESI to AL. If found ESI stores location of those bytes.

stosb is used to store values in EDI specified location. Same as scasb, but byte not searched instead it is placed into EDI location. When bundled with rep, this is equivalent to memset in C.

Instruction Description
repe cmpsb Compare 2 buffers. EDI and ESI must contain buffer locations, and ECX = buffer length. Will continue until ECX = 0 or buffers aren’t equal.
rep stosb Initialize all bytes of a buffer to a value. EDI = buffer location, and AL = Initialization Value. Often seen with xor eax, eax.
rep movsb Copy a buffer of bytes. ESI = Source, EDI = Destination, ECX = Length to copy. Byte copy with continue until ECX = 0.
repne scasb Search a data buffer for a byte. EDI = Address of buffer. AL = byte looking for. ECX = Buffer length. Comparison will continue until ECX = 0 or byte is found.

C Main Methods and Offsets

Malware is often written in C. A C program often has 2 arguments for the main method with argc and argv.

argc is an integer which contains number of arguments on command line. argv is a pointer to an array that contains command line arguments.

There’s also a couple of useful images at this point which show a simple program in C and what the main method looks like in Assembly, in addition to useful further reading.

Chapter 5. IDA Pro

Interactive Disassembler Professional:

Tips:

  • Options > General > Line Prefixes > (Opcode Bytes as 6) = helps show memory locations and opcode values in Graph Mode.
  • Options > General > Auto Comments = Comments about instructions, useful learning Assembly.
  • L Function flag = Library and can be skipped.

Useful Windows:

  • Functions: Associates flags with each function.
  • Names: Every address and name including functions, data, strings, named code.
  • Strings: Default, shows ASCII longer than 5 characters.
  • Imports: Lists all imports.
  • Exports: Lists all exported functions.
  • Structures: Create own data structures or list layout of all data structures.

Types of links:

  • Sub Links: Links to start of functions
  • Loc links: Jumps to destinations
  • Offset Links: Links to an offset in memory

Lab 5-1

Question 1

What is the address of DllMain?

Answer 1

Upon loading the DLL into IDA we arrive at the DllMain function, and can see the address in the functions window, or by turning on Line Prefixes under Options > General > Line Prefixes.

0x1000D02E

Lab05-01.DLL

Question 2

Use the Imports window to browse to gethostbyname. Where is the import located?

Answer 2

By viewing the imports, searching for gethostbyname, and then looking for the address location, we find where this import is located.

0x100163CC within idata

Lab05-01.DLL

Question 3

How many functions call gethostbyname?

Answer 3

By using the jump to xrefs function while highlighting gethostbyname

Lab05-01.DLL

We are able to find that this is run 9 times, by 5 different subroutines/functions.

Lab05-01.DLL

Question 4

Focusing on the call to gethostbyname located at 0x10001757, can you figure out which DNS request will be made?

Answer 4

By using the jump to address function, we’re able to specify the address to jump to and in this case can specify 0x10001757.

Lab05-01.DLL

Looking at the operand before this function call, we can see that an address offset is being moved into EAX before 0Dh is added to it

Lab05-01.DLL

By following this we can see that EAX now points to address 0x10019194 within data which contains: [This is RDO]pics.praticalmalwareanalysis.com

If we look at the value 0Dh which will be added to EAX, if we convert this hex to decimal it gives us the value 13, and the first 13 characters are [This is RDO].

Lab05-01.DLL

Because the pointer (EAX) is moved along 13 bytes, we now know that the DNS request will be made for:

pics.praticalmalwareanalysis.com

Question 5

How many local variables has IDA Pro recognized for the subroutine at 0x10001656?

Answer 5

Jumping to the address at 0x10001656 we can find 20 different variables which IDA Pro Free has identified; however, it is important to note that a paid version of this product may identify more variables.

Lab05-01.DLL

Question 6

How many parameters has IDA Pro recognized for the subroutine at 0x10001656?

Answer 6

Looking at the previous screenshot we can find that arg_0 has been identified which indicates one argument would be expected from this subroutine, and as a result 1 parameter.

Question 7

Use the Strings window to locate the string \cmd.exe /c in the disassembly. Where is it located?

Answer 7

Using ALT + T we can search through the strings window for cmd.exe, and we can find where it is located.

Lab05-01.DLL

0x10095B34

Question 8

What is happening in the area of code that references \cmd.exe /c?

Answer 8

By following the xref to the subroutine which references \cmd.exe /c

Lab05-01.DLL

We’re able scroll through the function to see a number of interesting values being pushed to the stack, in this case the values: quit, exit, and cd catch our eyes.

Lab05-01.DLL

Continuing on we can see entries such as: idle, uptime, mmodule, minstall, and inject all catch out eyes.

Lab05-01.DLL

Lab05-01.DLL

Finally if we look around this function we can find that the char array aHiMasterDDDDDD mentioning a ‘Remote Shell Session’, and ass such we can infer we’re looking at a remote shell session function.

Lab05-01.DLL

Question 9

In the same area, at 0x100101C8, it looks like dword_1008E5C4 is a global variable that helps decide which path to take. How does the malware set dword_1008E5C4? (Hint: Use dword_1008E5C4’s cross-references.)

Answer

Starting at address 0x100101C8 we can see a comparison statement comparing ebx to dword_1008E5C4, and viewing the cross-references to this we can find one of them which actually contain the mov statement to set the value.

Lab05-01.DLL

Following this we can see that the output of sub_10003695 will be moved directly into dword_1008E5C4.

Lab05-01.DLL

So by looking into this routine we can find that it is comparing the dw platform ID to the value ‘2’:

Lab05-01.DLL

By running some searches based on this we find the following documentation on PlatformID

This tells us that the field 2 indicates the operating system is Windows NT or later.

Lab05-01.DLL

As such we now know the malware will take a different path depending on whether the operating system is Windows NT or later.

Question 10

A few hundred lines into the subroutine at 0x1000FF58, a series of comparisons use memcmp to compare strings. What happens if the string comparison to robotwork is successful (when memcmp returns 0)?

Answer 10

Looking into this routine we can find the entry comparing “robotwork” which uses a JNZ branch.

Lab05-01.DLL

The JNZ branch will jump if the Zero Flag is NOT SET (in this case that means the comparison is successful). This is because when we’re talking about Zero Flags, we’re essentially asking “Is this false?”, and if it is true (1=True), the Zero Flag IS NOT set, if it is false (0=False) then the Zero Flag IS set.

Because of this, if memcmp returns 0, the answer to the question “Is this false?” will be no, thus indicating a successful comparison. Because of this the jump is NOT taken, and we end up running a call to the subroutine sub_100052A2, so let’s take a look into it.

Lab05-01.DLL

From this we can see that it is opening a registry key at: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion. The JZ statement is once again asking “Is this false?” which in this case would check if the registry was successfully opened or not. So long as the registry is successfully opened, the answer would be “False”, “No”, or in terms of the Zero-Flag “0”. The difference here is that it is jumping if the zero flag IS set, so let’s follow loc_10005309.

Lab05-01.DLL

Here we can see it is querying WorkTime, and WorkTime registry keys. If we look back at where this opened the registry key we can see that it is passing an argument type of “Socket” with the value ‘s’. Looking back at the start of this question we can see that this pushes ebp+s which indicates this information is sent back over the passed network socket.

Question 11

What does the export PSLIST do?

Answer 11

By looking into the exports within this DLL we can find PSLIST. Following this and pressing SPACE leads us to the IDA Graph view.

Lab05-01.DLL

From here we can see that one of 2 paths will be taken depending on the result of sub_100036C3, so let’s dive a bit deeper there.

Lab05-01.DLL

Once again we can see this is checking whether the operating system is Windows NT or later; however, even if it is, it is then checking if it’s major version is 5. So let’s look at what this represents by looking at the documentation on OSVERSIONINFOEXW structure

Lab05-01.DLL

So we now know it is checking whether the OS is any of these versions. Depending on the output it will either run sub_10006518 or sub_1000664C.

Lab05-01.DLL

Taking a closer look at sub_10006518 we can see based on the API call to CreateToolhelp32Snapshot, strings, and the function name that this will allow them to grab a process listing.

Lab05-01.DLL

Looking further at sub_1000664C, we can see that this performs the same type of calls as sub_10006518; however, this also sends through reference to the socket to send the output back to.

Lab05-01.DLL

Question 12

Use the graph mode to graph the cross-references from sub_10004E79. Which API functions could be called by entering this function? Based on the API functions alone, what could you rename this function?

Answer 12

By using G to go to the address of interest (in this case sub_10004E79), we can then click View > Graphs > XRefs From to see a number of API functions within this function.

Lab05-01.DLL

Based on this we can infer that it is more than likely the System Default Language Identifier would be sent over a network socket, and as such could name this function as LanguageIdentifier_Send.

Question 13

How many Windows API functions does DllMain call directly? How many at a depth of 2?

Answer 13

By clicking View > Graphs > User xrefs chart, and then adjusting the settings to start and end at the function DLLMain with a depth of 1, we’re able to see 4 Windows API Functions.

Lab05-01.DLL

If we expand this to a depth of 2, the chart blows out in size and we’re looking at 33 including duplicates.

Lab05-01.DLL

Lab05-01.DLL

Lab05-01.DLL

Question 14

At 0x10001358, there is a call to Sleep (an API function that takes one parameter containing the number of milliseconds to sleep). Looking backward through the code, how long will the program sleep if this code executes?

Answer 14

Moving back from the call to sleep, we can see that EAX is multiplied by 1000 before being pushed to the stack and called. This matches the reference to milliseconds, in that there are 1000 milliseconds in a second.

Lab05-01.DLL

If we follow the previous routine at offset 10019020 (off_10019020), we see it points to the data reference unk_100192AC.

Lab05-01.DLL

At present this is a bit confusing as it is made up of individual parts to a much larger string, but if we go ahead and convert this to the string it is supposed to be.

Lab05-01.DLL

We can now see that it has the value [This is CTI]30 which is much clearer.

Lab05-01.DLL

Looking back at the commands it is then adding 0Dh (13) to EAX which moves the pointer past the text ‘[This is CTI]’ leaving only ‘30’.

Based on the call to atoi this is then converted to a number before being multiplied by 1000 and as such the program will sleep for 30 seconds if this executes.

Question 15

At 0x10001701 is a call to socket. What are the three parameters?

Answer 15

Looking at this address we can see a call to socket which takes 3 parameters (protocol, type, and af) all of which are pushed to the stack prior to the call.

Lab05-01.DLL

Question 16

Using the MSDN page for socket and the named symbolic constants functionality in IDA Pro, can you make the parameters more meaningful? What are the parameters after you apply changes?

Answer 16

By looking into the MSDN Socket Function we can find what these numbers correlate to.

Lab05-01.DLL Lab05-01.DLL Lab05-01.DLL

By right clicking and selecting Use Standard Symbolic Constant, we’re able to quickly change these to accurately reflect their assigned values.

Lab05-01.DLL

Question 17

Search for usage of the in instruction (opcode 0xED). This instruction is used with a magic string VMXh to perform VMware detection. Is that in use in this malware? Using the cross-references to the function that executes the in instruction, is there further evidence of VMware detection?

Answer 17

By searching for ‘ED’ as a sequence of bytes (ALT+B) we can find only one occurrence of the instruction ‘in’.

Lab05-01.DLL

Diving into this function we can see it is checking for the value VMXh which indicates this malware is implementing a known anti VM technique.

Lab05-01.DLL

Looking at the Xrefs to this function we can see a reference to locating a VM in use and cancelling installation.

Lab05-01.DLL

Question 18

Jump your cursor to 0x1001D988. What do you find?

Answer 18

If we jump here using ‘G’ we find a bunch of seemingly random data.

Lab05-01.DLL

Question 19

If you have the IDA Python plug-in installed (included with the commercial version of IDA Pro), run Lab05-01.py, an IDA Pro Python script provided with the malware for this book. (Make sure the cursor is at 0x1001D988.) What happens after you run the script?

Answer 19

At present we’re running this through the free version of IDA Pro, so we’ll be unable to do this; however let’s open up the script and see if we can see what it is doing.

Lab05-01.DLL

From this we can see it will loop through from our current position (0x1001D988) up to 50 bytes and run an XOR command over all of them by 0x55. From this we can infer that the script will de-obfuscate the seemingly random data.

Question 20

With the cursor in the same location, how do you turn this data into a single ASCII string?

Answer 20

This can be done by pressing A on the string or doing so like we did earlier with CTI30. By converting all strings to ascii we wind up with gibberish still because each element still requires the XOR function.

Lab05-01.DLL

We can also see there’s been some overlap of hex indicated by the ,27h,’ elements. By removing these and running the XOR command over all of the strings concatenated using CyberChef(https://gchq.github.io/CyberChef/) we get a hidden message.

Lab05-01.DLL

Question 21

Open the script with a text editor. How does it work?

Answer 21

In this instance we can see that there’s been some issues bringing back any capitalisation somewhere along the line and this should read “xdoor is this backdoor, string decoded for Practical Malware Analysis Lab :)1234”. This is yet another benefit of us running this through the python script; however, the purpose still stands based on how the python script works. It will loop through from our position (0x1001D988) up to 50 bytes and run an XOR command over all of the values individually by 0x55

Chapter 6. Recognizing C Code Constructs in Assembly

Global vs. Local Variables

  • Global Variables referenced by memory addresses (e.g. dword_40CF60)
  • Local Variables referenced by stack addresses (e.g. ebp-4)

Disassembling Arithmetic Operations

The below outline basic arithmetic operations and ways of remembering them within assembly.

Assigning variables (int a = 0; int b = 1;):

  • mov [ebp+var_4], 0 (int a = 0)
  • mov [ebp+var_8], 1 (int b = 1)

Addition of variables (a = a + 11;):

  • mov eax, [ebp+var_4] (a =)
  • add eax, 0Bh (a + 11)

Subtraction of variables (a = a - b;):

  • mov ecx, [ebp+var_4] (a =)
  • sub ecx, [ebp+var_8] (a - b)

Decrementing variables (a–;):

  • mov [ebp+var_4], ecx (null)
  • mov edx, [ebp+var_4] (a =)
  • sub edx, 1 (a - 1)

Incrementing variables (B++;):

  • mov [ebp+var_4], edx (null)
  • mov eax, [ebp+var_8] (b =)
  • add eax, 1 (b + 1)

Modulo variables (b = a % 3):

  • mov [ebp+var_8], eax (null)
  • mov eax, [ebp+var_4] (a =)
  • cdq (convert value)
  • mov ecx, 3 (3)
  • idiv ecx (a / 3)
  • mov [ebp+var_8], edx (b = remainder)

Recognizing if statements

Must be a conditional jump (e.g. jnz) for an if statement, but not all conditional jumps are if statements.

Recognizing nested if statements

Every if statement corresponds to a jump of some kind, so in this case there’s 3 close compare (cmp) and then jump (jnz) statements.

Finding for loops

Must have 4 components; initialise, compare, execute, and increment/decrement.

Finding while loops

This looks similar to a for loop, except without incrementation.

Function call conventions

Calling convention differs based on compiler and other factors.

3 most common calling conventions are:

  • cdecl
  • stdcall
  • fastcall

cdecl convention

One of the most popular. Params pushed onto stack from right to left, and caller cleans up the stack at end.

stdcall convention

Similar to cdecl, except callee needs to clean up stack. This is the standard convention for the Windows API, and as such when calling them you don’t need to clean up the stack as the DLLs which implement the API will clean up the stack.

fastcall convention

Varies most across compilers. First couple of arguments are passed in registers (e.g. EDX or ECX). Any other arguments are loaded right to left. Calling function responsible for cleaning up stack. Generally faster.

Push vs Move

The differences are generally based on the compiler or compiler settings, sometimes parameters are pushed onto the stack, other times they are moved onto the stack. In cases of push, there’ll be an additional instruction to restore the stack pointer which won’t be present in the move.

Switch statements

Compiled either using an ‘if’ or using ‘jump tables’. Will have multiple compare and jump statements close to one another, and any ‘false’ result leads the next compare to happen.

Jump Table

Has a large amount of switch statements and avoids the need for so many compares. In this case a ‘false’ result leads to the jump statement which dynamically points to a location.

Disassembling Arrays

Globally and locally defined arrays appear different. Globally defined may have a base address within ‘dword_XXXXXX’, and locally may have a base address within var_XX. In both cases accessing these arrays has ecx multiplied by the element size (in the case of integers this is 4).

Identifying Structures aka Structs

Similar to arrays but can contain different element types. Generally used to group information. Nearby data types may or may not be part of the struct. ‘fld’ or ‘fstp’ are floating point instructions which indicate this type is a double. ‘T’ key in pro can be used to create a structure.

Linked List is data structure with data records which contain a reference (link) to the next record in the sequence. Recursive object assignments help to identify this, for example a recursive loop where a variable is assigned eax, which then becomes eax+4 may be indicative of the variable having a pointer 4bytes in.

Lab 6-1

Analyse Lab06-01.exe

Question 1

What is the major code construct found in the only subroutine called by main?

Answer 1

By starting at the main function we can see that a subroutine 401000 is called.

Lab06-01.exe

Moving into this routine we see that there is a compare statement before a JZ jump statement, and by using the graph view we can verify that this is indicative of an ‘if’ code construct.

Lab06-01.exe

Question 2

What is the subroutine located at 0x40105F?

Answer 2

By looking at the values being pushed to the stack prior to calling this function we can begin to make some assumptions that this subroutine relates to printing some sort of message which is delimited by a line feed (\n).

Lab06-01.exe

If we dig slightly into this function we can see reference to ‘__stbuf’ and ‘__ftbuf’ which in the context of things leads us to believe this is ‘string buffer’ and ‘format buffer’. A quick search leads us to these being declared inside of the resource internal.h within the .NET Core.

.NET Core Runtime - internal.h

From this we can see it provides support for input/output of files, and if we compare this to the function references in this context we can make an informed decision that this is in fact the ‘printf’ (print formatted) subroutine, which writes the string to stdout.

Lab06-01.exe

Question 3

What is the purpose of this program?

Answer 3

Based on what we can see in the success or error messages that were pushed to the stack, this program checks if you are connected to the internet, and responds with a corresponding message in addition to returning the number ‘1’, if you are connected.

Lab 6-2

Analyse Lab06-02.exe

Question 1

What operation does the first subroutine called by main perform?

Answer 1

Taking a look at the main function, we can see that it calls ‘sub_401000’.

Lab06-02.exe

This subroutine calls ‘InternetGetConnectedState’, and then compares if the output of it is equal to 0. Then it will jump if the internet connection is present to one of 2 messages. As such this operation is an ‘if’ statement.

Lab06-02.exe

Question 2

What is the subroutine located at 0x40117F?

Answer 2

If we look at this subroutine we notice that it is almost identical to that which we saw in Lab06-01.exe, and once again comparing a string pushed to the stack just before calling this subroutine within main leads us to believe this is once again ‘printf’. In this instance there’s also the usage of ‘%c’ to help backup this inference.

Lab06-02.exe

Question 3

What does the second subroutine called by main do?

Answer 3

We can see that the second subroutine is ‘sub401040’. By looking at this we can see that this attempts to open the URL http://www.practicalmalwareanalysis.com/cc.htm and if it is successful, it will read in the first 0x200 (512) bytes into a buffer.

Lab06-02.exe

Question 4

What type of code construct is used in this subroutine?

Answer 4

If we look under the call to ‘InternetReadFile’ we can see 2 different pathways, one where it was able to read the HTML ‘file’, and one where it failed.

Lab06-02.exe

If we look at the code construct under where it successfully read the HTML file, we can see that there are multiple compare statements based on 4 characters from the buffer. This indicates an array of characters is being parsed, and if we view the compare characters by using ‘R’ to convert the hex to ascii, we see some interesting characters.

Lab06-02.exe

We know that within HTML ‘<!–’ signals the start of a comment.

Question 5

Are there any network-based indicators for this program?

Answer 5

As shown in question 3, there’s 2 obvious network indicators we can use within this program, which is the URL to be opened, and the User-Agent.

  • http://www.practicalmalwareanalysis.com/cc.htm
  • Internet Explorer 7.5/pma

Question 6

What is the purpose of this malware?

Answer 6

The purpose of this malware is to check if there is an active internet connection, if there is it will proceed to try and open the URL http://www.practicalmalwareanalysis.com/cc.htm using the User-Agent ‘Internet Explorer 7.5/pma’ and if it is successful, it will read in the first 0x200 (512) bytes into a buffer, if not it will terminate. From this buffer the characters ‘<!–’ are read, and if they don’t exists the error message “Error 2.3: Fail to get command\n” is printed.

Lab06-02.exe

If these do exist, it will print the message “Success: Parsed command is %c\n”, where %c is the character read from the HTML comment buffer. We can also see this will wait 60000 milliseconds (1 minute) before terminating.

Lab 6-3

Analyse Lab06-03.exe

Question 1

Compare the calls in main to lab 6-2’s main method. What is the new function called from main?

Answer 1

Examining the calls in Lab6-2 and Lab6-3 show a number of similarities; however, 1 subroutine exists in Lab6-3 which is new and is called “sub_40113”.

Lab06-03.exe

Question 2

What parameters does this new function take?

Answer 2

Looking at the function, we can see that it takes 2 parameters, a ‘char’ value, and a ‘lpcstr’ value (long pointer constant string).

Lab06-03.exe

If we examine how this is being invoked, we can see 2 items are pushed to the stack before calling this subroutine; argv, and var_8.

Lab06-03.exe

In this instance argv represents argv[0] which points to the name of the program. We can also see that var_8 is set to AL in 0x401228. This means that the lower 8 bits (byte, or character in this case) from sub_401040 becomes var_8, and given we know sub_401040 allocates bytes to a buffer, and then checks for ‘<!–’, we can then see that the next byte after ‘<!–’ is the char being passed to this function.

Lab06-03.exe

Question 3

What major code construct does this function contain?

Answer 3

Looking at this function we can see that it contains a switch statement with a Jump Table, this is indicated by a lack of repeated compare and jump statements, which is evident in an ‘if-else’ scenario, and instead contains one compare and jump statement with multiple locations it could end up jumping to.

Lab06-03.exe

Question 4

What can this function do?

Answer 4

If we break down this function, we can see that it subtracts ‘a’ from whatever is passed to it, therefore if it is ‘a’, it will have a value of ‘0’ and be the first jump case, b will equal 1 and be the second case and so forth.

In the case of this function, depending on the letter you send it (after ‘<!–’ in the HTML), between ‘a’ and ‘e’, it will run a different set of commands.

Lab06-03.exe

  • a = The program create’s a directory at C:\Temp if it doesn’t exist
  • b = The program will copy a file to C:\Temp\cc.exe, the file passed is lpExistingFileName which we know would be the program name
  • c = The program will delete the file located at C:\Temp\cc.exe if it exists
  • d = The program creates persistence using the subkey Software\Microsoft\Windows\CurrentVersion\Run with the value ‘Malware’ pointing to C:\Temp\cc.exe
  • e = The program sleeps for 100,000 milliseconds (100 seconds)

If the program fails to get these instructions or it fails, it will display an error message.

  • Error 3.2: Not a valid command provided

Question 5

Are there any host-based indicators for this malware?

Answer 5

The host based indicators from this are the file the malware will copy itself to, and the registry key used for persistence.

Note: A quick search reveals that 80000002h which is pushed to the stack in the registry key is linked to HKEY_LOCAL_MACHINE, so we can assume it will be here rather than the users registry hive.

  • C:\Temp\cc.exe
  • HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v Malware

Question 6

What is the purpose of this malware?

Answer 6

The purpose of this malware is to check if there is an active internet connection, if there is it will proceed to try and open the URL http://www.practicalmalwareanalysis.com/cc.htm using the User-Agent ‘Internet Explorer 7.5/pma’ and if it is successful, it will read in the first 0x200 (512) bytes into a buffer, if not it will terminate. From this buffer the characters ‘<!–’ are read, and if they don’t exists the error message “Error 2.3: Fail to get command\n” is printed. If these do exist, it will print the message “Success: Parsed command is %c\n”, where %c is the first character read from the HTML comment buffer.

Based on the parsed command between the letters a and e, the program will either:

  • Create a directory at C:\Temp if it doesn’t exist
  • Copy a file to C:\Temp\cc.exe, the file passed is lpExistingFileName which we know would be the program name
  • Delete the file located at C:\Temp\cc.exe if it exists
  • Create persistence using the subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run with the value ‘Malware’ pointing to C:\Temp\cc.exe
  • Sleep for 100,000 milliseconds (100 seconds)
  • Display the error message “Error 3.2: Not a valid command provided”

Lab 6-4

Analyse Lab06-04.exe

Question 1

What is the difference between the calls made from the main method in Labs 6-3 and 6-4?

Answer 1

In Lab 6-3 the calls directly from the main method consist of:

  • sub_401000
  • sub_401040
  • sub_401271
  • sub_401130
  • Sleep

Lab06-04.exe

In Lab 6-4 the calls directly from the main method consist of:

  • sub_401000
  • sub_401040
  • sub_401150 (differs)
  • sub_4012B5 (differs)
  • Sleep

Lab06-04.exe

Looking into these methods we find that:

  • sub_401000 = Check for internet connection
  • sub_401040 = HTML C2 parsing function. Note: in 06-04 the User-Agent has changed.

Lab06-04.exe

  • sub_401150 (differs) = Jump Table switch statement as previously identified in Lab 06-03 sub_401130 to control actions.

Lab06-04.exe

  • sub_4012B5 (differs) = printf as previously identified in Lab 06-03 sub_401271.

Lab06-04.exe

Question 2

What new code construct has been added to main?

Answer 2

Looking into the main method we can see one clear change, and that’s the addition of a loop, which in this case is a for loop indicative by the flow returning and and incrementing variable which will be compared against the value 5A0h in hex (1440).

Lab06-04.exe

Question 3

What is the difference between this lab’s parse HTML function and those of the previous labs?

Answer 3

Looking at this lab’s parse HTML function, the first difference we can see is that it now takes in an argument as apparent with the reference to arg_0, and a new variable szAgent.

Lab06-04.exe

Looking further we can see that this is actually used now in the User-Agent which we previously identified had changed and that szAgent is being populated with the formatted user agent value.

Lab06-04.exe

This differs from the previous which didn’t take any argument and never changed.

Question 4

How long will this program run? (Assume that it is connected to the internet.)

Answer 4

The for loop in this case is comparing against the value 1440. Because computers are so fast the time it takes to run this amount of checks is negligible; however, we can also see that the program sleeps for 0EA60h (60,000) milliseconds in between each check.

Lab06-04.exe

Due to this we can assume the program will run for 1440 * 60,000 milliseconds = 86,400,000 milliseconds.

This number doesn’t make a lot of sense so let’s convert, 60,000 milliseconds is 1 minute. So for 1440 minutes, if we divide by 60 we find that this will run for 24 hours.

Question 5

Are there any new network-based indicators for this malware?

Answer 5

As mentioned in question 3, this has a new User-Agent, so the User-Agent:

Internet Explorer 7.50/pma%d

will be a new indicator, where %d is equivalent to var_C or in this case the number of minutes that have passed since the program started. This can be used to monitor how long it has been running for in each request.

Question 6

What is the purpose of this malware?

Answer 6

The purpose of this malware is to check if there is an active internet connection, if there is it will proceed to try and open the URL http://www.practicalmalwareanalysis.com/cc.htm using the User-Agent ‘Internet Explorer 7.5/pma%d’ which is passed in from a looping incremental user variable (this is used to track how long the program has been running.

If it is successful, it will read in the first 0x200 (512) bytes into a buffer, if not it will terminate. From this buffer the characters ‘<!–’ are read, and if they don’t exists the error message “Error 2.3: Fail to get command\n” is printed.

If these do exist, it will print the message “Success: Parsed command is %c\n”, where %c is the first character read from the HTML comment buffer.

Based on the parsed command between the letters a and e, the program will either:

  • Create a directory at C:\Temp if it doesn’t exist
  • Copy a file to C:\Temp\cc.exe, the file passed is lpExistingFileName which we know would be the program name
  • Delete the file located at C:\Temp\cc.exe if it exists
  • Create persistence using the subkey HKLM\Software\Microsoft\Windows\CurrentVersion\Run with the value ‘Malware’ pointing to C:\Temp\cc.exe
  • Sleep for 100,000 milliseconds (100 seconds)
  • Display the error message “Error 3.2: Not a valid command provided”

Based on the incrementing variable this program will run for 24hours before terminating. By renaming these functions and viewing the main method flow chart, we can easily see the flow of this malware.

Lab06-04.exe

Chapter 7. Analyzing Malicious Windows Programs

TBA

Chapter 8. Debugging

TBA

Chapter 9. OllyDbg

TBA

Chapter 10. Kernel Debugging with WinDbg

TBA

Chapter 11. Malware Behavior

TBA

Chapter 12. Covert Malware Launching

TBA

Chapter 13. Data Encoding

TBA

Chapter 14. Malware-Focussed Network Signatures

TBA

Chapter 15. Anti-Disassembly

TBA

Chapter 16. Anti-Debugging

TBA

Chapter 17. Anti-Virtual Machine Techniques

TBA

Chapter 18. Packers and Unpacking

TBA

Chapter 19. Shellcode Analysis

TBA

Chapter 20. C++ Analysis

TBA

Chapter 21. 64-Bit Malware

TBA