- IDA Pro
- Lab06-03.exe SHA256: 75eb05679a0a988dddf8badfc6d5996cc7e372c73e1023dde59efbaab6ece655
- Detection Rate: 24/54
- Analyzed on 29 Feb 2016
Compilation Date: 2011-02-03 15:14:16
- View report here
In this lab, we’ll analyze the malware found in the file Lab06-03.exe.
1. Compare the calls in main to Lab 6-2’s main method. What is the new
function called from main?
From the above images, we can see that an additional call to sub_401130 was made. The rest of the statements look the same.
2. What parameters does this new function take?
It takes in the parsed character from sub_401040 and the current executable name; argv that is passed in from the main.
3. What major code construct does this function contain?
From the above image we can see that the major code construct is a switch table via jump table.
4. What can this function do?
First lets take a look at the statements before the jump is made.
From the above image we can see that arg_0 is the command char passed in. ‘a‘ is deducted from the command char. Which means if the command char is a, var_8 will be 0. If command char is b, var_8 will be 1 etc. A comparison is made to check if the command char is > e. If it is, “Error 3.2: Not a valid command provided” will be printed. var_8 is then used as the jump address offset.
So let’s see what will command char a to e do…
a. “c:\temp” directory is created via CreateDirectoryA function
b. The current executable is copied to “c:\temp\cc.exe” via the CopyFileA function
c. “c:\temp\cc.exe” is deleted via the DeleteFileA function
d. A registry key “Malware” with value “c:\temp\cc.exe” is added to “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run” via RegSetValueExA function. This makes the malware persistence.
e. Sleep for 100 seconds
5. Are there any host-based indicators for this malware?
Registry: “HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Malware” Key with “C:\Temp\cc.exe” as value
6. What is the purpose of this malware?
The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma. It will parse the downloaded page and check if it begins with <!- -. If it does, the next character is parsed as the command and it executes predefined tasks from directory creation, copy self to temp folder, deletion of the malware and adding registry key to ensure persistency..