PRACTICAL MALWARE ANALYSIS: ANALYZING MALICIOUS WINDOWS PROGRAMS (LAB 7-01)

Tools Used

  1. IDA Pro

Sample:

  1. Lab07-01.exe SHA256: 0c98769e42b364711c478226ef199bfbba90db80175eb1b8cd565aa694c09852

VirusTotal:

  • Detection Rate: 21/54
  • Analyzed on 2016-03-03
  • Compilation Date: 2011-09-30 19:49:12
  • View report here

Lab 7-1
Analyze the malware found in the file Lab07-01.exe.
Questions
1. How does this program ensure that it continues running (achieves persistence)
when the computer is restarted?

imports
Figure 1. Create Service

 

createServiceA
Figure 2. CreateServiceA

 

Based on the above static analysis using IDA Pro we can quickly identify from the imports that CreateServiceA is being used. Diving in into the codes in Figure 2, we can see that the code is trying to create a new service which run its own process and auto start on loading of windows. The name of the service is called Malservice. The binary that this service will run is the current executable path retrieved from GetModuleFileNameA.

2. Why does this program use a mutex?

mutex
Figure 3. Mutex

In figure 3, we can see that the malware attempts to open mutex “HGL345“. If the mutex existed, the program exits. The purpose of the mutex here is to ensure that no 2 instances of this program is running at the same time.

3. What is a good host-based signature to use for detecting this program?

We should look out for “HGL345” mutex  and “Malservice” service.

4. What is a good network-based signature for detecting this malware?

strings
Figure 4. Suspicious Strings

 

internet
Figure 5. Internet Connection

Just by looking at the strings of the binary, we can easily spot a suspicious URL and  by cross referencing, we will arrive at figure 5. The malware simply uses “Ïnternet Explorer 8.0“as user agent and it attempts to get “http://www.malwareanalysisbook.com” in a loop. We can use this as the network based signature.

5. What is the purpose of this program?

TimerThread
Figure 6. Timer and Threads

From the above figure, we can observe that a WaitableTimer is created with the system time set to be year 2100 00:00:00.  According to MSDN for WaitForSingleObject, the malware uses an infinite timeout parameter which infers that the program will wait till the object is signaled in year 2100. It will then create 20 (14h) threads calling the function in Figure 5. To conclude, in year 2100 00:00:00 machines infected with this malware will begin its DDOS attack on http://www.malwareanalysisbook.com with each machine running 20 threads of infinite loop of http get request to the site.

6. When will this program finish executing?

The program will run for infinity till the process is killed or the machine is powered off.

Advertisements
PRACTICAL MALWARE ANALYSIS: ANALYZING MALICIOUS WINDOWS PROGRAMS (LAB 7-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s