Tools Used:

  1. Cerbero Profiler 2.5
  2. IDA Pro
  3. PEID


  1. Lab01-04.exe SHA256: 0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126
  2. resource.exe SHA256:819b2db1876d85846811799664d512b2f1af13e329f5debe60926c3b03424745

Lab 1-4
Analyze the file Lab01-04.exe.
1. Upload the Lab01-04.exe file to Does it match
any existing antivirus definitions?

As of 25th Jan 2016 there were 44/54 anti virus detection ratio for Lab01-04.exe.

View Lab01-04.exe Report here

2. Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible.

3. When was this program compiled?

PEID did not suggest that the file is packed. IDA Pro’s imports table looks legitimate as well.

PEID (no packer detected)

However opening the file is Cerbero Profiler highlights that the file contains a binary resource which has a MZ header (executable). Let’s extract the resource and re-analyze it with virus total and PEID.

payload found in resources

As of 25th Jan 2016 there were 45/53 anti virus detection ratio for resource.exe.

View resource.exe Report here

PEID (no packer detected)

PEID did not suggest that the extracted binary is packed. IDA Pro’s imports table looks legitimate as well.

To answer when is the binary compiled we can use Cerbero Profiler again to check.

Lab01-04.exe – Aug 31 2019
resource.exe – Feb 27 2011 08:16:59 (GMT+8)

From the above we can see that Lab01-04.exe compile date/time is fake. But the resource binary’s datetime stamp might be the real deal.

Lab-1-04.exe: Aug 31 2019 06:26:59(GMT+8)

resource.exe: Feb 27 2011 08:16:59 (GMT+8)

4. Do any imports hint at this program’s functionality? If so, which imports
are they and what do they tell you?


Lab-1-04.exe’s imports

There are several interesting imports here.

  1. OpenProcessToken
  2. LookupPriviligeValueA
  3. AdjustTokenPriviliges
  4. WinExec
  5. WriteFileA
  6. CreateFileA
  7. CreateRemoteThread
  8. FindResourceA
  9. MoveFileA
  10. LoadResource

The ADVAPI32 Library allows us to gain higher privileges so as to facilitate in some of the functions call later. Kernel32 Library in this case allows us to loadlibrary, execute application, write file to disk and access resources.

disable windows file protection

The above screenshot shows that the malware is attempting to increase its privileges to SeDebugPrivilige. Once adjusted, it begin calling sfc_os.dll’s 2nd ordinal function which is the CloseFileMapEnumeration function.

sfc_os.dll’s export

We can find out more details in what this function can do here… in a nut shell, it is trying to disable the write protection that winlogon is providing. Once the protection is disabled, the malware then move the file “windows directory\system32\wupdmgr.exe” to “temp\winup.exe”. It then read its own resource @ #101 and write it out as a file at “windows directory\system32\wupdmgr.exe”. The malware then executes this freshly written binary using WinExec.

Disabling Windows File Protection: 


resource.exe’s imports

There are only 4 imports of interest here.

  1. URLDownloadToFileA; downloads a file from a given url to the victim’s machine
  2. GetWindowsDirectoryA; get the windows directory of the victim’s machine
  3. GetTempPathA; get the path of the directory designated for temporary files
  4. WinExec; run command/application

From the above import functions, we can make an educated guess that the malware is attempting to download another binary from a URL into either the victim’s temp directory or windows directory and execute it.

disassembled resource.exe

the disassembled code simply executes an exe located in “temppath\winup.exe” where temppath refers to the temporary folder specified in the environment variables. It then attempts to download another exe from and save it in “windows directory\system32\wupdmgrd.exe”. It then executes this exe via winExec.

5. What host- or network-based indicators could be used to identify this
malware on infected machines?


Host based indicator: temppath\winup.exe & windows directory\system32\wupdmgrd.exe


Network based indicator:

Host based indicator: temppath\winup.exe & windows directory\system32\wupdmgrd.exe

6. This file has one resource in the resource section. Use Resource Hacker
to examine that resource, and then use it to extract the resource. What
can you learn from the resource?

Solutions to question 4 and 5 would have answered this question. A lot of malwares uses these techniques to drop malicious executables on the victim’s machine. there are various form of payload hidden in the dropper. Some are in the form of images (hidden via stengo) while some are just purely address offsets. Encryption/Encoding such as Rc4/XOR/Base64 is commonly used in droppers as well. What is interesting in this exercise is probably the technique to disable windows file protection using user code.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s