Tools Used

  1. UPX
  2. IDA Pro
  3. PEID


  1. Lab01-02.exe  SHA256:c876a332d7dd8da331cb8eee7ab7bf32752834d4b2b54eaa362674a2a48f64a6

Lab 1-2
Analyze the file Lab01-02.exe.
28 Chapter 1
1. Upload the Lab01-02.exe file to Does it match
any existing antivirus definitions?

As of 22nd Jan 2016 there were 33/54 anti virus detection ratio for Lab01-02.exe.

View Lab01-02.exe Report here

2. Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible.

UPX Packer Detected
Nothing found on peid but EP Section says: UPX1

The above has already suggested to us that the executable is most likely packed with UPX. Lets take a look at how IDA Pro sees this binary.

Tail Jump in Graph
Small import table
Only 4 strings?

Ok we are pretty sure that the exe is packed using UPX. So far I have known of only 2 techniques in unpacking UPX… the easiest one is to unpack using UPX command line itself. The other one is to do it the hard core manual way using olly dbg. We shall run through the easier one here. For the manual approach it will be in my next post.


To decompile a upx packed binary is very simple. Just download the upx tool and run the following command upx.exe -d [packed binary file]

Done =)

Let’s upload the unpacked binary to virus total again.

As of 22th Jan 2016 there were 32/54 anti virus detection ratio for Lab01-02_unpacked.exe.

View Lab01-02_unpacked.exe Report here

3. Do any imports hint at this program’s functionality? If so, which imports
are they and what do they tell you?



  1. InternetOpenA; Initializes an application’s use of the WinINet functions we can see what user agent is used to initiate the connection.
  2. InternetOpenUrlA; Opens a FTP or HTTP URL
  3. CreateMutexA; create mutex lock to prevent multiple running instances of the malware
  4. OpenMutexA;open a created mutex
  5. CreateServiceA; create a service object to the victim’s machine. Often use for persistency
  6. OpenSCManagerA; called before CreateService is invoked to establish a connection to the service control manager
  7. StartServiceCtrlDispatcherA; When the service control manager starts a service process, it waits for the process to call the StartServiceCtrlDispatcher function. The main thread of a service process should make this call as soon as possible after it starts up (within 30 seconds)

I guess that this malware is trying to install a service for persistency. It probably uses http traffic to get commands from the C2 server.

4. What host- or network-based indicators could be used to identify this
malware on infected machines?

In Lab01-02.exe (unpacked) we can observe the following artifacts in the executable.

We can look out for the service name (Malservice) in the system (services.msc), network traffic with dns lookup for (, network traffic with user agent as Internet Explorer 8.0 and a mutex (HGL345) on the victim machine.

Unpacked Executable’s Strings
Service Name: Malservice

The above shows that the malware is trying to add itself as a service in the victim’s machine for persistency.

unique mutex

The above shows that the malware is using a hardcoded unique string as a mutex (HGL345) we can use this to see if a machine is infected with this malware.


Communicating with a server

The above shows that the malware is using a hard coded useragent and url. We can create rules in the firewall to catch/block such traffic.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s