PRACTICAL MALWARE ANALYSIS: BASIC DYNAMIC TECHNIQUES (LAB 3-04)

Tools Used:

  1. IDA Pro
  2. Proc Mon

Sample:

  1. Lab03-04.exe SHA256: 6ac06dfa543dca43327d55a61d0aaed25f3c90cce791e0555e3e306d47107859

VirusTotal:

  • Detection Rate: 22/54
  • Analyzed on 30 Jan 2016
  • Compilation Date: 2011-10-18 18:46:44
  • View report here

Lab 3-4

Analyze the malware found in the file Lab03-04.exe using basic dynamic analysis tools. (This program is analyzed further in the Chapter 9 labs.)

Questions

1. What happens when you run this file?

Lab03-04.exe got deleted via cmd.exe del command!

lab03_04_del
Proc mon: cmd.exe del

if we use IDA Pro to trace the cmd.exe /c del string we would find this function call.

lab03_04_delself
/c del
lab03_04_delself2
calling ShellExecuteA to delete self

2. What is causing the roadblock in dynamic analysis?

There are 7 scenarios that will cause self delete function to be called. We need to reverse the codes to see what is causing it to self delete. Some malwares detect for things like checking if the current OS is a VM, checking if debugger is attach, checking if AV is running, checking if an argument is passed in etc.

lab03_04_delselfxref
delself xref

3. Are there other ways to run this program?

There are several ways to run this program

  1. One way of doing it is running it in ollydbg. Break before delself is called and change the process flow.
  2. Patch the program to change jz opcode to jnz etc
  3. reverse the program and figure out the exact cause

However we might still need to figure out the exact cause of why the program fails to run in order for us to execute it correctly. Simple patching might not work.

 

Advertisements
PRACTICAL MALWARE ANALYSIS: BASIC DYNAMIC TECHNIQUES (LAB 3-04)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s