Practical Malware Analysis - Lab Write-Up

Practical Malware Analysis - Lab Write-Up

This details reverse engineering activities and answers for labs contained in the book ‘Practical Malware Analysis’ by Michael Sikorski and Andrew Honig, which is published by No Starch Press.

Practical Malware Analysis - Chapter 3 Lab Write-up

5 minute read

PMALab

Chapter 3. Basic Dynamic Analysis

This details analysis undertaken and answers to the lab questions in Chapter 3.

Lab 3-1

This lab uses the file Lab03-01.exe. Analyse this using basic dynamic analysis tools.

Question 1

What are this malware’s imports and strings?

Answer 1

Looking at a new tool, we’re able to open this up in PE Studio to gain a lot of insight into the file, and determine both its imports and strings.

Based on the low number of imports we can assume this file is packed.

Lab03-01.exe

If we take a look at the strings though we see a number of interesting entries which we typically wouldn’t expect to see on a packed file.

Lab03-01.exe

Question 2

What are the malware’s host-based indicators?

Answer 2

Attempting to run this file within a Windows 7 and Windows 10 VM causes it to crash and fail.

In todays day and age this piece of malware is detected by almost every AV available but also fails to run properly. This is because like a lot of malware it was created with a certain OS in mind (in this case Windows XP).

By running the malware in a Windows XP environment we are able to see what the original functionality of this file was:

Lab03-01.exe

The host based indicators are as follows:

  • A Mutex - AKA Mutual Exclusion (this is essentially a lock on a resource), is created for “WinVMX32”.
  • The malware is copied to a file called “vmx32to64.exe” which is dropped within C:\Windows\System32.
  • A registry key is created at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver for persistence indicating whenever the system starts it should run the copied malware.

Question 3

Are there any useful network-based signatures for this malware? If so, what are they?

Answer 3

By directing our Windows XP traffic through another host we can use a utility such as Fakenet-NG or ApateDNS to intercept the requests.

Lab03-01.exe

Through doing this we can see the below:

  • www[.]practicalmalwareanalysis[.]com is resolved

Had we allowed the malware to establish a connection we would see it sending random beacons of 256 bytes out of random data over port 443.

Lab 3-2

This lab uses the file Lab03-02.dll. Analyse this using basic dynamic analysis tools.

Question 1

How can you get this malware to install itself?

Answer 1

Using PE-bear we are able to easily see the exports of this DLL file. When comparing this with the imports shown in PEview it becomes quite clear that this DLL needs to be installed as a service.

Lab03-02.dll

To further validate our assumptions we can run strings over the DLL. Some key elements of interest are shown below:

Lab03-02.dll

Something to note is the reference to Windows XP 6.11, which means it’s once again likely this was created for, and will only work on, Windows XP.

Back in our Windows XP VM, we’re able to use rundll32.exe and the install exported function to execute this DLL and install it as a service.

rundll32.exe Lab03-02.dll,install

By using regshot we’re easily able to see the registry keys which have been modified by running the DLL.

Lab03-02.dll

Question 2

How would you get this malware to run after installation?

Answer 2

Given this has installed as a service and we know the name is IPRIP we can run it through either the net utility, or SC Tool.

sc start IPRIP
net start IPRIP

Question 3

How can you find the process under which this malware is running?

Answer 3

By searching for the specified DLL, or looking at the DLLs loaded by a process in Process Explorer, we’re able to get the process ID of the svchost process which is running this malware.

Lab03-02.dll

  • 1068

Question 4

Which filters could you set in order to use procmon to glean information?

Answer 4

Because there’s likely to be multiple svchost processes, we can filter by the Process ID to glean information only on the svchost process responsible for running this malware.

Question 5

What are the malware’s host-based indicators?

Answer 5

By examining the service which is created we can get a number of host-based indicators.

Lab03-02.dll

  • IPRIP
  • Intranet Network Awareness (INA+)
  • Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.
  • HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ /v servicedll

Question 6

Are there any useful network-based signatures for this malware?

Answer 6

By running Fakenet on the host we’re able to intercept the malware’s request and determine what it is sending to a remote server. In this case it uses a specified domain name, uses port 80, always fetches a specific file, and uses a custom but unique User-Agent.

Lab03-02.dll

  • practicalmalwareanalysis[.]com
  • port 80
  • serve.html
  • User-Agent %ComputerName% Windows XP 6.11

It’s at this point that the string previously discovered as ‘Windows XP’ has context.

Lab 3-3

This lab uses the file Lab03-03.exe. Analyse this using basic dynamic analysis tools.

Question 1

What do you notice when monitoring this malware with Process Explorer?

Answer 1

If we monitor this malware with Process Explorer we can see it briefly spawns svchost before both processes vanish.

At this point if we look closer into the memory strings of running svchost processes, we can see that this malware has used process replacement (more commonly known as process hollowing nowadays) to execute under the guise of a svchost process.

Question 2

Can you identify any live memory modifications?

Answer 2

As mentioned by looking into the live memory of svchost we can see the strings differ significantly on disk to what is in memory.

Lab03-03.exe

Question 3

What are the malware’s host-based indicators?

Answer 3

We can see both in memory, and on disk that the malware creates a file called practicalmalwareanalysis.log

Lab03-03.exe

  • practicalmalwareanalysis.log

Question 4

What is the purpose of this program?

Answer 4

By opening wordpad and typing out some content, we can then open up practicalmalwareanalysis.log and see that it has logged all of our keystrokes.

Lab03-03.exe

From this we can conclude that this uses process hollowing to run a keylogger on the infected machine through svchost.exe

Lab 3-4

This lab uses the file Lab03-04.exe. Analyse this using basic dynamic analysis tools.

Question 1

What happens when you run this file?

Answer 1

When we run this file it immediately deletes itself. We can see this event coming from the program spawning a del (delete) command from a command prompt.

Lab03-04.exe

Question 2

What is causing the roadblock in dynamic analysis?

Answer 2

This could be caused by command line parameters needing to be passed to the program, it needing to fetch a particular file from a remote location, it detecting it is in a sandbox, it only targeting a particular timezone, or it only running on a specific domain. Some clues can be found by looking at the program strings.

Lab03-04.exe

Question 3

Are there other ways to run this program?

Answer 3

Attempting to run with the below enumerated through strings still results in the file being deleted, so at this stage we cannot do much more; however, this will be revisited in lab 9.

  • cc
  • re
  • in

This concludes chapter 3, proceed to the next chapter.

You may also enjoy