PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-03)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-03.exe SHA256: 75eb05679a0a988dddf8badfc6d5996cc7e372c73e1023dde59efbaab6ece655

VirusTotal:

  • Detection Rate: 24/54
  • Analyzed on 29 Feb 2016
  • Compilation Date: 2011-02-03 15:14:16
  • View report here

Lab 6-3
In this lab, we’ll analyze the malware found in the file Lab06-03.exe.
Questions
1. Compare the calls in main to Lab 6-2’s main method. What is the new
function called from main?

exercise2
Figure 1. Lab 6-2

 

exercise3
Figure 2. Lab 6-3

From the above images, we can see that an additional call to sub_401130 was made. The rest of the statements look the same.

2. What parameters does this new function take?

It takes in the parsed character from sub_401040 and the current executable name; argv[0] that is passed in from the main.

3. What major code construct does this function contain?

switch
Figure 3. Switch table via jump table

From the above image we can see that the major code construct is a switch table via jump table.

 

4. What can this function do?

First lets take a look at the statements before the jump is made.

jump
Figure 4. Cases

 

From the above image we can see that arg_0 is the command char passed in. ‘a‘ is deducted from the command char. Which means if the command char is a, var_8 will be 0. If command char is b, var_8 will be 1 etc. A comparison is made to check if the command char is > e. If it is, “Error 3.2: Not a valid command provided” will be printed. var_8 is then used as the jump address offset.

So let’s see what will command char a to e do…

a. “c:\temp” directory is created via CreateDirectoryA function

b. The current executable is copied to “c:\temp\cc.exe” via the CopyFileA function

c. “c:\temp\cc.exe” is deleted via the DeleteFileA function

d. A registry key “Malware” with value “c:\temp\cc.exe” is added to “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” via RegSetValueExA function. This makes the malware persistence.

e. Sleep for 100 seconds

5. Are there any host-based indicators for this malware?

File: C:\Temp\cc.exe

Registry: “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Malware” Key with “C:\Temp\cc.exe” as value

6. What is the purpose of this malware?

The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma. It will parse the downloaded page and check if it begins with <!- -. If it does, the next character is parsed as the command  and it executes predefined tasks from directory creation, copy self to temp folder, deletion of the malware and adding registry key to ensure persistency..

Advertisements
PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s