PRACTICAL MALWARE ANALYSIS: BASIC DYNAMIC TECHNIQUES (LAB 3-02)

Tools Used:

  1. IDA Pro
  2. Regshot
  3. Proc Mon
  4. Inetsim
  5. WIreshark
  6. Process Explorer

Sample:

  1. Lab03-02.dll SHA256: 5eced7367ed63354b4ed5c556e2363514293f614c2c2eb187273381b2ef5f0f9

VirusTotal:

  • Detection Rate: 40/49
  • Analyzed on 30 Jan 2016
  • Compilation Date: 2010:09:28 02:00:25+01:00
  • View report here

Lab 3-2

Analyze the malware found in the file Lab03-02.dll using basic dynamic analysis tools. Questions

1. How can you get this malware to install itself?

lab03_02_exports
IDA Pro (exports)

We can see in IDA Pro that several functions are available for us to call. It even include uninstall for us to call!

A way to execute dll manually is via RunDll32.exe. The syntax is as follows

RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>

So lets try RUNDLL32.exe Lab03-02.dll,install

So what happen when the dll is installed?

lab03_02_procmon
Procmon RegSetValue
lab03_02_regshot
Regshot Registry added
lab03_02_servicesmsc
new Services.msc

The malware install itself as a service. using svchost.exe. The dll is added as parameter thus executing the malicious code.

If we look at IDA Pro of the install function. You will easily see that it is trying to install a service via SCManager. It then add description etc via registry changes to hide itself in plain side. A call was made to to get the current dll path and used that path to add to the service’s registry as well.

2. How would you get this malware to run after installation?

I know of 2 manual ways to run this malware.

  1. we can use command prompt “net start IPRIP
  2. start the service via Services.msc as shown in the image above

3. How can you find the process under which this malware is running?

lab03_02_pid
Finding malicious svchost via Process Explorer

By going through the svchost.exe, we will come across a process in which Lab03-02.dll is loaded. That is the malicious process. For this case the PID is 1032. This can be easily achieve by using the find handle (Ctrl-F) option in process explorer as shown below.

lab03_02_findhandle
Find Handle

4. Which filters could you set in order to use procmon to glean information?

we can either set PID to 1032 or set command line containing netsvcs.

5. What are the malware’s host-based indicators?

  1. Service – IPRIP with a name of Intranet Network Awareness
  2. Registry – HKLM/services/CurrentControlSet/Services/IPRIP

6. Are there any useful network-based signatures for this malware?

An attempt to resolve practicalmalwareanalysis.com dns can be used to detect if a machine has been infected. We can also look out for http get request for serve.html.

lab03_02_wireshark
wireshark traffic

Other stuff

Strings

There are some strings that are encoded using base64. Let’s decode them and hopefully it will help when analyzing the program in IDA Pro.

.data:10006010 0000000D C Y29ubmVjdA== //connect
.data:100060B8 0000000D C dW5zdXBwb3J0 //unsupport
.data:100060C8 00000009 C c2xlZXA= //sleep
.data:100060D4 00000005 C Y21k //cmd
.data:100060DC 00000009 C cXVpdA== //quit

Since this question is on dynamic analysis, I shall cover static analysis in more detail the next time.

 

Advertisements
PRACTICAL MALWARE ANALYSIS: BASIC DYNAMIC TECHNIQUES (LAB 3-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s