Here is my humble little solution to the lab exercises for the book on Practical Malware Analysis. While solutions are provided in the book itself, I am writing my own approach in solving the exercises and hopefully it will provide more insights. Take my solution with a pinch of salt… I am not a professional malware analyst.
- Cerbero Profiler 2.5
- IDA Pro
- Lab01-01.dll SHA256:f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba
- Lab01-01.exe SHA256:58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47
This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques
described in the chapter to gain information about the files and
answer the questions below.
1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does
either file match any existing antivirus signatures?
As of 20th Jan 2016 there were 20/55 anti virus detection ratio for Lab01-01.exe and 15 / 54 anti virus detection ratio for Lab01-01.dll.
View Lab01-01.dll Report here
View Lab01-01.exe Report here
2. When were these files compiled?
The files compiled time can be retrieved from the above VirusTotal.com reports. The following method used Cerbero Profiler tool to extract this data.
Cerbero Profiler Analysis of Lab01-01.exe’s FileHeader->TimeDateStamp field is 0x4D0E2FD3 (Mon Dec 20 00:16:19 2010) and Lab01-01.dll’s FileHeader->TimeDateStamp is 0x4d0E2FE6 (Mon Dec 20 00:16:38 2010). The Tool has conveniently converted the unix timestamp for us to my local timezone. Online tools such as EpochConverter.com can also help us to derive the actual time from the hex timestamp.
3. Are there any indications that either of these files is packed or obfuscated?
If so, what are these indicators?
A quick scan using PEID tool did not surface any packer being used for Lab01-01.dll and Lab01-01.exe
Manually this is how i would do it… Here I am looking out for tail jump in the graph (jmp to an address at the end of the graph/program) and any strings (upx etc) that indicates a packer being used and imports that seems to be too little for the program.
Based on IDA PRO’s imports table, Strings and Graph… Lab01-01.dll do not look like it has been packed or obfuscated.
Based on IDA PRO’s imports table, Strings and Graph… Lab01-01.exe do not look like it has been packed or obfuscated.
4. Do any imports hint at what this malware does? If so, which imports are they?
- Sleep; malware usually use this to delay dynamic analysis or simply to wait out for next command
- CreateProcessA; execute commands/program
- CreateMutexA; create mutex lock to prevent multiple running instances of the malware
- OpenMutexA; open a created mutex
- socket; suggest that the program is going to communicates via socket
- WSAStartup; initiates use of the Winsock DLL by a process
- connect; establish connection
- send; sends data
- recv; receive data
- inet_addr; you may locate the C&C ip address here
- htons; port that the C&C is using
From the above, i can deduced that the malware is trying to establish connection with a server to receive/send commands/data. This malware is capable of remote command execution since it uses CreateProcessA and it probably runs in a infinite loop sleeping in between each loop via the Sleep function.
- MapViewOfFile; maps a view of a physical file into memory. Malware can make changes to the actual file once it is mapped.
- CreateFileMappingA; open a file mapping object for a file
- FindFirstFileA; searches a directory for a file
- FindNextFileA; enumerate to the next file found by FindFirstFile
- CopyFileA; make a copy of the file
From the above, i can deduced that the malware is trying to search for a particular file and attempting to read/write an existing file in the system via MapViewOfFile. It is also trying to copy/dropping a file to another location.
5. Are there any other files or host-based indicators that you could look for
on infected systems?
6. What network-based indicators could be used to find this malware on
Lets answer these 2 questions all at one go… We can look out for 2 files (c:\\windows\\system32\\kerne132.dll & Lab01-01.dll) in the system, ip address (127.26.152.13; probably the C&C server) and a mutex (SADFHUHF) on the victim machine.
In Lab01-01.exe we can observe the following artifacts in the executable.
It seems like Lab01-01.exe is using hardcoded strings for filenames. There is a CopyFileA function being called in the exe where Lab01-01.dll is copied to c:\windows\system32\kerne132.dll. Take note that it is kerne(1)32.dll and not kernel32.dll. As i did not see any file delete operations in the executable… i suppose that both of the dll should still be residing on the victim’s machine.
In Lab01-01.dll we can observe the following artifacts in the executable.
There is an ip address and a weird string “SADFHUHF” in the executable.
On analyzing, it seems that “SADFHUHF” is a hardcoded unique string for mutex. We can use this unique mutex value to search in the victim’s machine.
On further analysis, we are able to confirm that the ip address we saw earlier in the strings is indeed being used.
7. What would you guess is the purpose of these files?
My guess is that this malware would make a malicious copy of its dll by disguising itself as kerne(1)32.dll. This exe will then try to search for some files and infect it to run this dll. The dll is capable of ensuring that only one instance of the malicious code is running since mutex is being used. It will then communicates on a timely basis (Sleep) to the C&C @ 127.26.152.13 to receive commands to execute on the victim’s machine.