PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-04)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-04.exe SHA256: cce96e5cb884c565c75960c41f53a7b56cef1a3ff5b9893cd81c390fd0c35ef3

VirusTotal:

  • Detection Rate: 18/54
  • Analyzed on 2016-02-29
  • Compilation Date: 2011-02-04 00:38:24
  • View report here

Lab 6-4
In this lab, we’ll analyze the malware found in the file Lab06-04.exe.
Questions
1. What is the difference between the calls made from the main method in
Labs 6-3 and 6-4?

Lab 6-3 Lab 6-4
Address Description Address Description
0x401000 checkConnection 0x401000  checkConnection
0x401040 parseHTML 0x401040  parseHTML
0x401271 printf 0x4012B5  printf
0x401130 executeCommand 0x401150  executeCommand

2. What new code construct has been added to main?

 

for
Figure 1. For loop (loop 1440 times)

We can see a for loop from the image above.

 

3. What is the difference between this lab’s parse HTML function and
those of the previous labs?

 

sprintf
Figure 2. User Agent with number behind

sprintf is called, adding a number to the back of the user agent string.

4. How long will this program run? (Assume that it is connected to the
Internet.)

Referring to Figure 1, we can see that it loops for 1440 times with sleep function called per loop. The sleep function sleeps for 60 seconds. Thus the loop will loop for 1440 minutes which is 24 hours.

5. Are there any new network-based indicators for this malware?

User Agent: Internet Explorer 7.5/pma[0-1439]

URL: http://www.practicalmalwareanalysis.com/cc.htm

6. What is the purpose of this malware?

The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma[0-1439]. The number behind the user agent is the loop count index. The C2 server will know how long the malware has been executed since per increment of the count index equates to 1 min. It will then parse the downloaded page and check if it begins with <!- -. If it does, the next character is parsed as the command and it executes predefined tasks such as directory creation, copy self to temp folder, deletion of the malware, adding registry key to ensure persistency and sleep for 100 seconds.

Advertisements
PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-04)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s