PRACTICAL MALWARE ANALYSIS: BASIC STATIC TECHNIQUES (LAB 1-02)

Tools Used

  1. UPX
  2. IDA Pro
  3. PEID

Samples:

  1. Lab01-02.exe  SHA256:c876a332d7dd8da331cb8eee7ab7bf32752834d4b2b54eaa362674a2a48f64a6

Lab 1-2
Analyze the file Lab01-02.exe.
28 Chapter 1
Questions
1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match
any existing antivirus definitions?

As of 22nd Jan 2016 there were 33/54 anti virus detection ratio for Lab01-02.exe.

View Lab01-02.exe Report here

2. Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible.

lab02_vt
UPX Packer Detected
lab01_02peid
Nothing found on peid but EP Section says: UPX1

The above has already suggested to us that the executable is most likely packed with UPX. Lets take a look at how IDA Pro sees this binary.

lab01_02tailjmp
Tail Jump in Graph
lab01_02imports
Small import table
lab01_02strings
Only 4 strings?

Ok we are pretty sure that the exe is packed using UPX. So far I have known of only 2 techniques in unpacking UPX… the easiest one is to unpack using UPX command line itself. The other one is to do it the hard core manual way using olly dbg. We shall run through the easier one here. For the manual approach it will be in my next post.

lab01-02upx

To decompile a upx packed binary is very simple. Just download the upx tool and run the following command upx.exe -d [packed binary file]

Done =)

Let’s upload the unpacked binary to virus total again.

As of 22th Jan 2016 there were 32/54 anti virus detection ratio for Lab01-02_unpacked.exe.

View Lab01-02_unpacked.exe Report here

3. Do any imports hint at this program’s functionality? If so, which imports
are they and what do they tell you?

lab01-02imports
Imports

Lab01-02.exe

  1. InternetOpenA; Initializes an application’s use of the WinINet functions we can see what user agent is used to initiate the connection.
  2. InternetOpenUrlA; Opens a FTP or HTTP URL
  3. CreateMutexA; create mutex lock to prevent multiple running instances of the malware
  4. OpenMutexA;open a created mutex
  5. CreateServiceA; create a service object to the victim’s machine. Often use for persistency
  6. OpenSCManagerA; called before CreateService is invoked to establish a connection to the service control manager
  7. StartServiceCtrlDispatcherA; When the service control manager starts a service process, it waits for the process to call the StartServiceCtrlDispatcher function. The main thread of a service process should make this call as soon as possible after it starts up (within 30 seconds)

I guess that this malware is trying to install a service for persistency. It probably uses http traffic to get commands from the C2 server.

4. What host- or network-based indicators could be used to identify this
malware on infected machines?

In Lab01-02.exe (unpacked) we can observe the following artifacts in the executable.

We can look out for the service name (Malservice) in the system (services.msc), network traffic with dns lookup for  http://www.malwareanalysisbook.com (184.168.221.22), network traffic with user agent as Internet Explorer 8.0 and a mutex (HGL345) on the victim machine.

lab01_02strings1.PNG
Unpacked Executable’s Strings
lab01_02services
Service Name: Malservice

The above shows that the malware is trying to add itself as a service in the victim’s machine for persistency.

lab01_02mutex
unique mutex

The above shows that the malware is using a hardcoded unique string as a mutex (HGL345) we can use this to see if a machine is infected with this malware.

 

lab01_02internet
Communicating with a server

The above shows that the malware is using a hard coded useragent and url. We can create rules in the firewall to catch/block such traffic.

Advertisements
PRACTICAL MALWARE ANALYSIS: BASIC STATIC TECHNIQUES (LAB 1-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s