Tools Used:

  1. IDA Pro
  2. Regshot
  3. Proc Mon
  4. Inetsim
  5. WIreshark
  6. Process Explorer


  1. Lab03-02.dll SHA256: 5eced7367ed63354b4ed5c556e2363514293f614c2c2eb187273381b2ef5f0f9


  • Detection Rate: 40/49
  • Analyzed on 30 Jan 2016
  • Compilation Date: 2010:09:28 02:00:25+01:00
  • View report here

Lab 3-2

Analyze the malware found in the file Lab03-02.dll using basic dynamic analysis tools. Questions

1. How can you get this malware to install itself?

IDA Pro (exports)

We can see in IDA Pro that several functions are available for us to call. It even include uninstall for us to call!

A way to execute dll manually is via RunDll32.exe. The syntax is as follows

RUNDLL32.EXE <dllname>,<entrypoint> <optional arguments>

So lets try RUNDLL32.exe Lab03-02.dll,install

So what happen when the dll is installed?

Procmon RegSetValue
Regshot Registry added
new Services.msc

The malware install itself as a service. using svchost.exe. The dll is added as parameter thus executing the malicious code.

If we look at IDA Pro of the install function. You will easily see that it is trying to install a service via SCManager. It then add description etc via registry changes to hide itself in plain side. A call was made to to get the current dll path and used that path to add to the service’s registry as well.

2. How would you get this malware to run after installation?

I know of 2 manual ways to run this malware.

  1. we can use command prompt “net start IPRIP
  2. start the service via Services.msc as shown in the image above

3. How can you find the process under which this malware is running?

Finding malicious svchost via Process Explorer

By going through the svchost.exe, we will come across a process in which Lab03-02.dll is loaded. That is the malicious process. For this case the PID is 1032. This can be easily achieve by using the find handle (Ctrl-F) option in process explorer as shown below.

Find Handle

4. Which filters could you set in order to use procmon to glean information?

we can either set PID to 1032 or set command line containing netsvcs.

5. What are the malware’s host-based indicators?

  1. Service – IPRIP with a name of Intranet Network Awareness
  2. Registry – HKLM/services/CurrentControlSet/Services/IPRIP

6. Are there any useful network-based signatures for this malware?

An attempt to resolve dns can be used to detect if a machine has been infected. We can also look out for http get request for serve.html.

wireshark traffic

Other stuff


There are some strings that are encoded using base64. Let’s decode them and hopefully it will help when analyzing the program in IDA Pro.

.data:10006010 0000000D C Y29ubmVjdA== //connect
.data:100060B8 0000000D C dW5zdXBwb3J0 //unsupport
.data:100060C8 00000009 C c2xlZXA= //sleep
.data:100060D4 00000005 C Y21k //cmd
.data:100060DC 00000009 C cXVpdA== //quit

Since this question is on dynamic analysis, I shall cover static analysis in more detail the next time.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s