PRACTICAL MALWARE ANALYSIS: BASIC STATIC TECHNIQUES (LAB 1-04)

Tools Used:

  1. Cerbero Profiler 2.5
  2. IDA Pro
  3. PEID

Samples:

  1. Lab01-04.exe SHA256: 0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126
  2. resource.exe SHA256:819b2db1876d85846811799664d512b2f1af13e329f5debe60926c3b03424745

Lab 1-4
Analyze the file Lab01-04.exe.
Questions
1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match
any existing antivirus definitions?

As of 25th Jan 2016 there were 44/54 anti virus detection ratio for Lab01-04.exe.

View Lab01-04.exe Report here

2. Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible.

3. When was this program compiled?

PEID did not suggest that the file is packed. IDA Pro’s imports table looks legitimate as well.

lab01-04_peid1
PEID (no packer detected)

However opening the file is Cerbero Profiler highlights that the file contains a binary resource which has a MZ header (executable). Let’s extract the resource and re-analyze it with virus total and PEID.

lab01-04_resource
payload found in resources

As of 25th Jan 2016 there were 45/53 anti virus detection ratio for resource.exe.

View resource.exe Report here

lab01-04_peid2
PEID (no packer detected)

PEID did not suggest that the extracted binary is packed. IDA Pro’s imports table looks legitimate as well.

To answer when is the binary compiled we can use Cerbero Profiler again to check.

lab01-04_time
Lab01-04.exe – Aug 31 2019
lab01-04_resourcetime
resource.exe – Feb 27 2011 08:16:59 (GMT+8)

From the above we can see that Lab01-04.exe compile date/time is fake. But the resource binary’s datetime stamp might be the real deal.

Lab-1-04.exe: Aug 31 2019 06:26:59(GMT+8)

resource.exe: Feb 27 2011 08:16:59 (GMT+8)

4. Do any imports hint at this program’s functionality? If so, which imports
are they and what do they tell you?

Lab-1-04.exe

lab01-04_imports
Lab-1-04.exe’s imports

There are several interesting imports here.

  1. OpenProcessToken
  2. LookupPriviligeValueA
  3. AdjustTokenPriviliges
  4. WinExec
  5. WriteFileA
  6. CreateFileA
  7. CreateRemoteThread
  8. FindResourceA
  9. MoveFileA
  10. LoadResource

The ADVAPI32 Library allows us to gain higher privileges so as to facilitate in some of the functions call later. Kernel32 Library in this case allows us to loadlibrary, execute application, write file to disk and access resources.

lab01-04_sfc.PNG
disable windows file protection

The above screenshot shows that the malware is attempting to increase its privileges to SeDebugPrivilige. Once adjusted, it begin calling sfc_os.dll’s 2nd ordinal function which is the CloseFileMapEnumeration function.

lab01-04_ordinal.PNG
sfc_os.dll’s export

We can find out more details in what this function can do here… in a nut shell, it is trying to disable the write protection that winlogon is providing. Once the protection is disabled, the malware then move the file “windows directory\system32\wupdmgr.exe” to “temp\winup.exe”. It then read its own resource @ #101 and write it out as a file at “windows directory\system32\wupdmgr.exe”. The malware then executes this freshly written binary using WinExec.

Disabling Windows File Protection: http://www.ntcore.com/files/wfp.htm 

resource.exe

lab01-04_resourceImport
resource.exe’s imports

There are only 4 imports of interest here.

  1. URLDownloadToFileA; downloads a file from a given url to the victim’s machine
  2. GetWindowsDirectoryA; get the windows directory of the victim’s machine
  3. GetTempPathA; get the path of the directory designated for temporary files
  4. WinExec; run command/application

From the above import functions, we can make an educated guess that the malware is attempting to download another binary from a URL into either the victim’s temp directory or windows directory and execute it.

lab01-04_resourceGraph
disassembled resource.exe

the disassembled code simply executes an exe located in “temppath\winup.exe” where temppath refers to the temporary folder specified in the environment variables. It then attempts to download another exe from http://www.practicalmalwareanalysis.com/updater.exe and save it in “windows directory\system32\wupdmgrd.exe”. It then executes this exe via winExec.

5. What host- or network-based indicators could be used to identify this
malware on infected machines?

Lab-1-04.exe

Host based indicator: temppath\winup.exe & windows directory\system32\wupdmgrd.exe

resource.exe

Network based indicator: http://www.practicalmalwareanalysis.com/updater.exe

Host based indicator: temppath\winup.exe & windows directory\system32\wupdmgrd.exe

6. This file has one resource in the resource section. Use Resource Hacker
to examine that resource, and then use it to extract the resource. What
can you learn from the resource?

Solutions to question 4 and 5 would have answered this question. A lot of malwares uses these techniques to drop malicious executables on the victim’s machine. there are various form of payload hidden in the dropper. Some are in the form of images (hidden via stengo) while some are just purely address offsets. Encryption/Encoding such as Rc4/XOR/Base64 is commonly used in droppers as well. What is interesting in this exercise is probably the technique to disable windows file protection using user code.

Advertisements
PRACTICAL MALWARE ANALYSIS: BASIC STATIC TECHNIQUES (LAB 1-04)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s