- IDA Pro
- Lab07-01.exe SHA256: 0c98769e42b364711c478226ef199bfbba90db80175eb1b8cd565aa694c09852
- Detection Rate: 21/54
- Analyzed on 2016-03-03
Compilation Date: 2011-09-30 19:49:12
- View report here
Analyze the malware found in the file Lab07-01.exe.
1. How does this program ensure that it continues running (achieves persistence)
when the computer is restarted?
Based on the above static analysis using IDA Pro we can quickly identify from the imports that CreateServiceA is being used. Diving in into the codes in Figure 2, we can see that the code is trying to create a new service which run its own process and auto start on loading of windows. The name of the service is called Malservice. The binary that this service will run is the current executable path retrieved from GetModuleFileNameA.
2. Why does this program use a mutex?
In figure 3, we can see that the malware attempts to open mutex “HGL345“. If the mutex existed, the program exits. The purpose of the mutex here is to ensure that no 2 instances of this program is running at the same time.
3. What is a good host-based signature to use for detecting this program?
We should look out for “HGL345” mutex and “Malservice” service.
4. What is a good network-based signature for detecting this malware?
Just by looking at the strings of the binary, we can easily spot a suspicious URL and by cross referencing, we will arrive at figure 5. The malware simply uses “Ïnternet Explorer 8.0“as user agent and it attempts to get “http://www.malwareanalysisbook.com” in a loop. We can use this as the network based signature.
5. What is the purpose of this program?
From the above figure, we can observe that a WaitableTimer is created with the system time set to be year 2100 00:00:00. According to MSDN for WaitForSingleObject, the malware uses an infinite timeout parameter which infers that the program will wait till the object is signaled in year 2100. It will then create 20 (14h) threads calling the function in Figure 5. To conclude, in year 2100 00:00:00 machines infected with this malware will begin its DDOS attack on http://www.malwareanalysisbook.com with each machine running 20 threads of infinite loop of http get request to the site.
6. When will this program finish executing?
The program will run for infinity till the process is killed or the machine is powered off.