PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-04)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-04.exe SHA256: cce96e5cb884c565c75960c41f53a7b56cef1a3ff5b9893cd81c390fd0c35ef3

VirusTotal:

  • Detection Rate: 18/54
  • Analyzed on 2016-02-29
  • Compilation Date: 2011-02-04 00:38:24
  • View report here

Lab 6-4
In this lab, we’ll analyze the malware found in the file Lab06-04.exe.
Questions
1. What is the difference between the calls made from the main method in
Labs 6-3 and 6-4?

Lab 6-3 Lab 6-4
Address Description Address Description
0x401000 checkConnection 0x401000  checkConnection
0x401040 parseHTML 0x401040  parseHTML
0x401271 printf 0x4012B5  printf
0x401130 executeCommand 0x401150  executeCommand

2. What new code construct has been added to main?

 

for
Figure 1. For loop (loop 1440 times)

We can see a for loop from the image above.

 

3. What is the difference between this lab’s parse HTML function and
those of the previous labs?

 

sprintf
Figure 2. User Agent with number behind

sprintf is called, adding a number to the back of the user agent string.

4. How long will this program run? (Assume that it is connected to the
Internet.)

Referring to Figure 1, we can see that it loops for 1440 times with sleep function called per loop. The sleep function sleeps for 60 seconds. Thus the loop will loop for 1440 minutes which is 24 hours.

5. Are there any new network-based indicators for this malware?

User Agent: Internet Explorer 7.5/pma[0-1439]

URL: http://www.practicalmalwareanalysis.com/cc.htm

6. What is the purpose of this malware?

The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma[0-1439]. The number behind the user agent is the loop count index. The C2 server will know how long the malware has been executed since per increment of the count index equates to 1 min. It will then parse the downloaded page and check if it begins with <!- -. If it does, the next character is parsed as the command and it executes predefined tasks such as directory creation, copy self to temp folder, deletion of the malware, adding registry key to ensure persistency and sleep for 100 seconds.

Advertisements
PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-04)

PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-03)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-03.exe SHA256: 75eb05679a0a988dddf8badfc6d5996cc7e372c73e1023dde59efbaab6ece655

VirusTotal:

  • Detection Rate: 24/54
  • Analyzed on 29 Feb 2016
  • Compilation Date: 2011-02-03 15:14:16
  • View report here

Lab 6-3
In this lab, we’ll analyze the malware found in the file Lab06-03.exe.
Questions
1. Compare the calls in main to Lab 6-2’s main method. What is the new
function called from main?

exercise2
Figure 1. Lab 6-2

 

exercise3
Figure 2. Lab 6-3

From the above images, we can see that an additional call to sub_401130 was made. The rest of the statements look the same.

2. What parameters does this new function take?

It takes in the parsed character from sub_401040 and the current executable name; argv[0] that is passed in from the main.

3. What major code construct does this function contain?

switch
Figure 3. Switch table via jump table

From the above image we can see that the major code construct is a switch table via jump table.

 

4. What can this function do?

First lets take a look at the statements before the jump is made.

jump
Figure 4. Cases

 

From the above image we can see that arg_0 is the command char passed in. ‘a‘ is deducted from the command char. Which means if the command char is a, var_8 will be 0. If command char is b, var_8 will be 1 etc. A comparison is made to check if the command char is > e. If it is, “Error 3.2: Not a valid command provided” will be printed. var_8 is then used as the jump address offset.

So let’s see what will command char a to e do…

a. “c:\temp” directory is created via CreateDirectoryA function

b. The current executable is copied to “c:\temp\cc.exe” via the CopyFileA function

c. “c:\temp\cc.exe” is deleted via the DeleteFileA function

d. A registry key “Malware” with value “c:\temp\cc.exe” is added to “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” via RegSetValueExA function. This makes the malware persistence.

e. Sleep for 100 seconds

5. Are there any host-based indicators for this malware?

File: C:\Temp\cc.exe

Registry: “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Malware” Key with “C:\Temp\cc.exe” as value

6. What is the purpose of this malware?

The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma. It will parse the downloaded page and check if it begins with <!- -. If it does, the next character is parsed as the command  and it executes predefined tasks from directory creation, copy self to temp folder, deletion of the malware and adding registry key to ensure persistency..

PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-03)

PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-02)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-02.exe SHA256: b71777edbf21167c96d20ff803cbcb25d24b94b3652db2f286dcd6efd3d8416a

VirusTotal:

  • Detection Rate: 20/55
  • Analyzed on 28 Feb 2016
  • Compilation Date: 2011-02-02 21:29:05
  • View report here

Lab 6-2
Analyze the malware found in the file Lab06-02.exe.
Questions
1. What operation does the first subroutine called by main perform?

The first subroutine called is at address 0x0401000. It checks for internet connection via InternetGetConnectedState function.It returns eax 1 if there is internet connection and eax 0 if there is none.

sub_0401000
Figure 1. Check for internet connection

2. What is the subroutine located at 0x40117F?

printf

3. What does the second subroutine called by main do?

If the first subroutine returns 1, the second subroutine (0x401040) will be called.

readFile
Figure 2. Get Command from C2

In the function “http://www.practicalmalwareanalysis.com/cc.htm”is called via InternetOpenURLA. It will then read the file from the url and match if the first 4 characters are “<!–“. If yes a command existed else a message stating that it fails to get command will be printed.

command
Figure 3. <!– command

4. What type of code construct is used in this subroutine?

512 bytes is read from “http://www.practicalmalwareanalysis.com/cc.htm&#8221;. The first four bytes is matched against <!- -; html comment tag. The next byte is the command.

5. Are there any network-based indicators for this program?

User Agent: Internet Explorer 7.5/pma

URL: http://www.practicalmalwareanalysis.com/cc.htm

6. What is the purpose of this malware?

The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma. It will parse the downloaded page and check if it begins with <!- -. If it does the next character is parsed as the command and printed in the console. It will then sleep for 60 seconds and terminates.

parse
Figure 4. Parsed command
PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-02)

PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-01)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-01.exe SHA256: fe30f280b1d0a5e9cef3324c2e8677f55a6202599d489170ece125f3cd843a03

VirusTotal:

  • Detection Rate: 1/55
  • Analyzed on 28 Feb 2016
  • Compilation Date: 2011-01-31 22:15:14
  • View report here

Lab 6-1
In this lab, you will analyze the malware found in the file Lab06-01.exe.
Questions
1. What is the major code construct found in the only subroutine called
by main?

The only subroutine called by main is sub_40100.

 

sub_401000
Figure 1 Flow Graph of sub_401000

From the above figure, there is just 2 code path. The path is selected based on the result from InternetGetConnectedState function. According to msdn, the function returns TRUE if there is an active modem or a LAN Internet connection, or FALSE if there is no Internet connection, or if all possible Internet connections are not currently active.

 

2. What is the subroutine located at 0x40105F?

A Sting is pushed into the function @ 0x40105F. Stepping Over 0x40105F, the string argument is printed in the console. If we were to step into this function… it is actually quite a journey down. For now I would guess it is a subroutine that prints a message on the console.

3. What is the purpose of this program?

Check for internet connection and print out a message to indicate if there is any internet connection.

PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-01)

PRACTICAL MALWARE ANALYSIS: IDA Pro (LAB 5)

Lab 5-1
Analyze the malware found in the file Lab05-01.dll using only IDA Pro. The
goal of this lab is to give you hands-on experience with IDA Pro. If you’ve
already worked with IDA Pro, you may choose to ignore these questions and
focus on reverse-engineering the malware.
Questions
1. What is the address of DllMain?

0x1000D02E in the .text section

lab05_dllmain.PNG
DllMain @ 0x1000D02E

2. Use the Imports window to browse to gethostbyname. Where is the import
located?

0x100163cc in the .idata section

lab05_dllgethostbyname
gethostbyname @ 0x100163cc (WSS2_32 library)
lab05_dllgethostbyname2
.idata section

3. How many functions call gethostbyname?

9 times. Note that IDA Pro is showing duplicates per address with different types.

lab05_gethostbynamexref
9 xref

4. Focusing on the call to gethostbyname located at 0x10001757, can you figure
out which DNS request will be made?

pics.praticalmalwareanalysis.com DNS request will be made. If we look at address @0x10001753 we move the pointer 0x10019040 to eax. There are some rubbish text in front of our actual url. but the next instruction will add 13 to pointer. Thus the char* now points to 0x100191A1 which is pics.praticalmalwareanalysis.com.

lab05_dllgethostbyname_dns
gethostbyname

5. How many local variables has IDA Pro recognized for the subroutine at
0x10001656?

23 local variables. Count those with negative offset.

lab05_dlllocal
23 local variables

6. How many parameters has IDA Pro recognized for the subroutine at 0x10001656?

One. Count those with positive offset.

7. Use the Strings window to locate the string \cmd.exe /c in the disassembly.
Where is it located?

It is located at 0x10095B34

lab05_dllstring
\\cmd.exe /c @ 0x10095B34

8. What is happening in the area of code that references \cmd.exe /c?

When we x-ref “\cmd.exe /c” we come to this part of the code.

cmd
cmd.exe

recv function is called soon after which suggests that the program is waiting for network packets/commands. if we x-ref CommandLine variable. We will see that it is trying to create a process using cmd.exe with Dst being appended to CommandLine variable. This highly suggests that an attacker can connect to the victim and send it with a command to be executed in cmd.exe also commonly known as remote command execution.

createprocess
CreateProcessA

 

9. In the same area, at 0x100101C8, it looks like dword_1008E5C4 is a global
variable that helps decide which path to take. How does the malware set
dword_1008E5C4? (Hint: Use dword_1008E5C4’s cross-references.)

The global variable is set by the following function @ 0x10003695. It will return 1 if the operating system platform is VER_PLATFORM_WIN32_NT;2(according to msdn).

global
GetVersionA

10. A few hundred lines into the subroutine at 0x1000FF58, a series of comparisons
use memcmp to compare strings. What happens if the string comparison
to robotwork is successful (when memcmp returns 0)?

function @ 0x100052A2 will be called with the following key functions

  1. Open “SOFTWARE\Microsoft\Windows\CurrentVersion” registry key
  2. Query registry value “WorkTime
  3. Send Returned result via send function
  4. Query registry value “WorkTimes
  5. Send Returned result via send function
  6. RegCloseKey

In short the above function will query “SOFTWARE\Microsoft\Windows\CurrentVersion\WorkTime” &  “SOFTWARE\Microsoft\Windows\CurrentVersion\WorkTimes” and send the returned results (integer value) via the network (send function).

11. What does the export PSLIST do?

PSLIST first check if the operating PlatformId is VER_PLATFORM_WIN32_NT;2 and if the windows version is >= windows XP. If it is, it will then check if a string argument is passed in as well. If there is no string being passed in, it will go through all running processes and send it out via the network else it will only send the processes that matches the string that is passed in.

12. Use the graph mode to graph the cross-references from sub_10004E79.
Which API functions could be called by entering this function? Based on
the API functions alone, what could you rename this function?

graph
sub_10004E79
graph2
graph

Based on the graph, we can see that GetSystemDefaultLangId, sprintf, strlen, send, malloc and free are being called. Just be these functions alone we can guess that it is probably trying the get the system default language and send this information across the network. We can rename this function as SendSystemLanguage.

13. How many Windows API functions does DllMain call directly? How many
at a depth of 2?

The graph is a bit too big to be displayed here. But using IDA Pro’s graph view we can see that DLLMain calls strnicmp, strlen, CreateThread directly. At a depth of 2 we can see that strcpy, strchr, strncpy, winexec, gethostbyname, memcpy, sleep, inet_ntoa, strlen, CreateThread, strncmp, ExitThread, FreeLibrary and closesocket are being called.

14. At 0x10001358, there is a call to Sleep (an API function that takes one
parameter containing the number of milliseconds to sleep). Looking
backward through the code, how long will the program sleep if this code
executes?

sleep
sleep

This is simple. The code begins by passing “[This is CTI]30” to eax. It then adds 13 to it. So now eax points to 30. This char* is then converted into integer via atoi function. It is then multiplied by 1000. So now eax contains 30000, which stands for 30000 milliseconds. This value is then passed to the Sleep function. Thus the program will sleep for 30 seconds.

15. At 0x10001701 is a call to socket. What are the three parameters?

According to msdn, socket syntax is as follows
SOCKET WSAAPI socket(
_In_ int af,
_In_ int type,
_In_ int protocol
);

based on the assembly code, we have af as 2(AF_INET), type as 1(SOCK_STREAM) and protocol as 6(IPPROTO_TCP).

socket
socket

16. Using the MSDN page for socket and the named symbolic constants functionality
in IDA Pro, can you make the parameters more meaningful?
What are the parameters after you apply changes?

constant
renamed

17. Search for usage of the in instruction (opcode 0xED). This instruction is
used with a magic string VMXh to perform VMware detection. Is that in use
in this malware? Using the cross-references to the function that executes
the in instruction, is there further evidence of VMware detection?

Searching for 0xED via binary search, we come across this opcode.

in_search
in eax, dx

Here we find interesting stuff with relation to VMXh; VMware detection.

VMXh
VMXh

In the exports liost, we can see 3 install export functions, namely, InstallRT, InstallSA and InstallSB. x-referencing 10006196, we can see that these 3 install functions calls this VM ware detection function. In short on detection of VMWare, the installation will terminates.

cancel_3
InstallSB

cancel_2
InstallSA

detect VM
InstallRT

18. Jump your cursor to 0x1001D988. What do you find?

random
random data

Some rubbish random data.

19. If you have the IDA Python plug-in installed (included with the commercial
version of IDA Pro), run Lab05-01.py, an IDA Pro Python script
provided with the malware for this book. (Make sure the cursor is at
0x1001D988.) What happens after you run the script?

decoded
decoded text

20. With the cursor in the same location, how do you turn this data into a
single ASCII string?

Just press on the ‘A‘ key.

21. Open the script with a text editor. How does it work?

It go through 80 bytes and xor each of them with 0x55.

PRACTICAL MALWARE ANALYSIS: IDA Pro (LAB 5)