Practical Malware Analysis Lab1

Home

March 19, 2020

Lab 1-1

1. Upload to virus total and view the reports.

I will skip this step because my VM setting currently is fixed to internet connection and I seem to be not able to drag and drop to my macintosh host. I will just see from others’ result.

2. When were these files compiled?

Using CFF explorer, we can navigate to File Header and look for TimeDateStamp. For Lab01-01.exe, we will get the value of 0x4D0E2FD3. Converting it to decimal, we will get 1292775379, equivalent to 12/19/2010 @ 4:16pm (UTC).

Using the same steps, we will get that the Lab01-01.dll is compiled at roughly the same time.

3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

Looking at the built-in UPX utility from the CFF explorer, seems like it’s not UPX packed.

The textbook suggest to use the program “PEiD”, which fortunately is already installed in my FlareVM. The result shows that it is probably not packed also.

I also want to try to use the analysis of the number of imports.

Though it is not really many imports, I think it makes sense cause this is most likely is dummy file.

So I think we can say that it’s not packed.


Looking at the result from the Medium post, it also says not packed. The medium post says something about Strings which I forgot to do.

And from the strings seems like it’s not packed also.


I want to highlight the reason why I do so many ways to check whether it’s packed or not. Some might say that one method of checking should be enough. But considering that there is a lot of ways in which packing can be done, I think applying different heuristics will help to make sure we don’t leave out some possibilities.

4. Do any imports hint at what this malware does? If so, which imports are they?

Let’s check the Import Directory first.

For me, KERNEL32.dll seems common enough that it’s required by most application. Let’s look at what each of those imports refer to.

From the textbook, Kernel32.dll: “This is a very common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware.” and WS2_32.dll: “These are networking DLLS. A program that accesses either of these most likely connects to a network or performs network-related tasks.”. The book does not have expleanation for MSVCRT.dll. Looking up online, it says that it’s just standard C++ library.

So from that, I guess what is interesting is that it will connect to the internet for some reason. But I don’t know specifically what for.

The medium post guess that it might be some [backdoor](https://en.wikipedia.org/wiki/Backdoor_(computing).

5. Are there any other files or host-based indicators that you could look for infected systems?

I don’t know how to approach this or what does it mean. The Medium post highlighted the use of kerne132.dll instead of kernel32.dll by looking from strings.exe.

6. What network-based indicators could be used to find this malware on infected machines?

Again, pointed by the Medium, the strings have a hardcoded IP address 127.26.152.13.

Since 127.0.0.1 is a loopback address, so I suspect that probably it applies for anything 127.x.x.x? And seems like the answer is yes. So since 127.26.152.13 is a loopback (local machine) address, this will not be used by the malware to connect to other machine outside. Most likely, it will be only used by several process running together. (e.g. a form of mutex)

7. What would you guess is the purpose of these files?

I’m not quite sure. Some of the file operation confuses me. The Medium post vote for backdoor due to the use of createProcess, ws2_32.dll and sleep functionallities.

Lab 2-2

1. Virus total - skip

2. Is the file packed?

UPX utility from CFF explorer says it’s pack. Done.

3. Look at imports.

ADVAPI32.dll: Provides access to advanced core Windows components such as the service manager and registry.

Most likely doing windows service (daemon) and persistance technique using registry (?)

WININET.dll: This DLL contains higher-level networking functions that implement protocols such as FTP, HTTP, and NTP.

I’m not quite sure what this will do but certainly doing some background service and sending information.

4. Look for host or network-based indicators

The strings

http://w
warean
ysisbook.co
om#Int6net Explo!r 8FEI

Seems to somehow related with malwareanalysisbook.com. Probably we can monitor for any DNS query that contains some substring of that string.

Lab 1-3

1. Virus total - skip

2. Packed?

The CFF Explorer UPX doesn’t show that it’s packed.

But the strings.exe does not show a lot of strings. It looks suspicious.

Then I go to check the PEiD and sure enough it’s packed. It says FSG 1.0 -> dulek/xt which I’m not really sure what packing method it is.

Confirming again that it’s actually packed, the import directory is almost empty.

And from section headers, I somehow got blank section name. And the raw size of 0000 and 3000 virtual size may say something about it being packed.


Then how to unpack? From the medium post:

Scanning this with PEiD demonstrates that Lab01–03.exe is packed with FSG 1.0 (figure 2.1 left). This is much more difficult to unpack than UPX and must be done manually. Currently we are unable to unpack this. Check out Lab 18–2 (Chapter 18, Packers and Unpacking) to unpack in OllyDbg.

Okay so I can move forward.

3. Imports hint functionallity?

I don’t know how to check the import. The medium post say we can check dependency walker. But I don’t know how useful it can be. The medium post also can’t get much information.

4. Host based network indicator.

Nothing cause it’s packed.

Lab 1-4

1. Virus total - skip

2. Packed?

Using the steps that I use above. This looks safe enough. It is most likely not packed.

3. When it is compiled?

From file headers, the time stamp is 0x5D69A2B3 which translates to 08/30/2019 @ 10:26pm (UTC). Though it’s past, most likely the author of the book compile it much earlier.

4. Check at imports

Kernel32.dll, Advapi32.dll, and Msvcrt.dll. So something related with registry and services. Msvcrst is just basic c++ library. I’m still not sure what it will do.

5. Host or network based indicator

Looking at strings:

!This program cannot be run in DOS mode.
CloseHandle
OpenProcess
GetCurrentProcess
CreateRemoteThread
GetProcAddress
LoadLibraryA
CreateFileA
SizeofResource
LoadResource
FindResourceA
GetModuleHandleA
GetWindowsDirectoryA
GetTempPathA
KERNEL32.dll
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
ADVAPI32.dll
MSVCRT.dll
_XcptFilter
__p___initenv
__getmainargs
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
winlogon.exe
<not real>
SeDebugPrivilege
sfc_os.dll
\system32\wupdmgr.exe
EnumProcessModules
GetModuleBaseNameA
EnumProcesses
\system32\wupdmgr.exe
\winup.exe
!This program cannot be run in DOS mode.
GetWindowsDirectoryA
GetTempPathA
KERNEL32.dll
URLDownloadToFileA
urlmon.dll
MSVCRT.dll
_XcptFilter
__p___initenv
__getmainargs
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
\winup.exe
\system32\wupdmgrd.exe
http://www.practicalmalwareanalysis.com/updater.exe
  1. Seems like it wants to do something with authentication.
  2. \system32\wupdmgrd.exe
  3. http://www.practicalmalwareanalysis.com/updater.exe

Seems like it will download an “updater”, then treat it as a legitimate windows upgrade or probably automatically install it after it get the authority escalation.

6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and hten use it ot extract the resource. What can you learn from the resource?

Gotcha! The content in the resource directly say something! It might contain a nested program because of the strings such as cannot be run in DOS mode and some section headers. So the payload should be installed by the malware after the authority escalation.


Yey done 😂! I find that though with writing it takes more time to complete the labs. It’s more enjoyable :)