PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-02)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-02.exe SHA256: b71777edbf21167c96d20ff803cbcb25d24b94b3652db2f286dcd6efd3d8416a

VirusTotal:

  • Detection Rate: 20/55
  • Analyzed on 28 Feb 2016
  • Compilation Date: 2011-02-02 21:29:05
  • View report here

Lab 6-2
Analyze the malware found in the file Lab06-02.exe.
Questions
1. What operation does the first subroutine called by main perform?

The first subroutine called is at address 0x0401000. It checks for internet connection via InternetGetConnectedState function.It returns eax 1 if there is internet connection and eax 0 if there is none.

sub_0401000
Figure 1. Check for internet connection

2. What is the subroutine located at 0x40117F?

printf

3. What does the second subroutine called by main do?

If the first subroutine returns 1, the second subroutine (0x401040) will be called.

readFile
Figure 2. Get Command from C2

In the function “http://www.practicalmalwareanalysis.com/cc.htm”is called via InternetOpenURLA. It will then read the file from the url and match if the first 4 characters are “<!–“. If yes a command existed else a message stating that it fails to get command will be printed.

command
Figure 3. <!– command

4. What type of code construct is used in this subroutine?

512 bytes is read from “http://www.practicalmalwareanalysis.com/cc.htm&#8221;. The first four bytes is matched against <!- -; html comment tag. The next byte is the command.

5. Are there any network-based indicators for this program?

User Agent: Internet Explorer 7.5/pma

URL: http://www.practicalmalwareanalysis.com/cc.htm

6. What is the purpose of this malware?

The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma. It will parse the downloaded page and check if it begins with <!- -. If it does the next character is parsed as the command and printed in the console. It will then sleep for 60 seconds and terminates.

parse
Figure 4. Parsed command
Advertisements
PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s