- IDA Pro
- Proc Mon
- Process Explorer
- Lab03-02.dll SHA256: 5eced7367ed63354b4ed5c556e2363514293f614c2c2eb187273381b2ef5f0f9
- Detection Rate: 40/49
- Analyzed on 30 Jan 2016
Compilation Date: 2010:09:28 02:00:25+01:00
- View report here
Analyze the malware found in the file Lab03-02.dll using basic dynamic analysis tools. Questions
1. How can you get this malware to install itself?
We can see in IDA Pro that several functions are available for us to call. It even include uninstall for us to call!
A way to execute dll manually is via RunDll32.exe. The syntax is as follows
RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>
So lets try RUNDLL32.exe Lab03-02.dll,install
So what happen when the dll is installed?
The malware install itself as a service. using svchost.exe. The dll is added as parameter thus executing the malicious code.
If we look at IDA Pro of the install function. You will easily see that it is trying to install a service via SCManager. It then add description etc via registry changes to hide itself in plain side. A call was made to to get the current dll path and used that path to add to the service’s registry as well.
2. How would you get this malware to run after installation?
I know of 2 manual ways to run this malware.
- we can use command prompt “net start IPRIP“
- start the service via Services.msc as shown in the image above
3. How can you find the process under which this malware is running?
By going through the svchost.exe, we will come across a process in which Lab03-02.dll is loaded. That is the malicious process. For this case the PID is 1032. This can be easily achieve by using the find handle (Ctrl-F) option in process explorer as shown below.
4. Which filters could you set in order to use procmon to glean information?
we can either set PID to 1032 or set command line containing netsvcs.
5. What are the malware’s host-based indicators?
- Service – IPRIP with a name of Intranet Network Awareness
- Registry – HKLM/services/CurrentControlSet/Services/IPRIP
6. Are there any useful network-based signatures for this malware?
An attempt to resolve practicalmalwareanalysis.com dns can be used to detect if a machine has been infected. We can also look out for http get request for serve.html.
There are some strings that are encoded using base64. Let’s decode them and hopefully it will help when analyzing the program in IDA Pro.
.data:10006010 0000000D C Y29ubmVjdA== //connect
.data:100060B8 0000000D C dW5zdXBwb3J0 //unsupport
.data:100060C8 00000009 C c2xlZXA= //sleep
.data:100060D4 00000005 C Y21k //cmd
.data:100060DC 00000009 C cXVpdA== //quit
Since this question is on dynamic analysis, I shall cover static analysis in more detail the next time.