PRACTICAL MALWARE ANALYSIS: ANALYZING MALICIOUS WINDOWS PROGRAMS (LAB 7-02)

Tools Used

  1. IDA Pro

Sample:

  1. Lab07-02.exe SHA256: bdf941defbc52b03de3485a5eb1c97e64f5ac0f54325e8cb668c994d3d8c9c90

VirusTotal:

  • Detection Rate: 22/54
  • Analyzed on 2016-03-03
  • Compilation Date: 2010-12-19 16:18:04
  • View report here

Lab 7-2
Analyze the malware found in the file Lab07-02.exe.
Questions
1. How does this program achieve persistence?

No persistence code is found in the malware.

2. What is the purpose of this program?

You may wish to refer to Lab01-03 for dynamic analysis on COM.

com
Figure 1. CoCreateInstance

A call to CoCreateInstance was made. We can see that the rclsid is targeted to “2DF01-0000-0000-C000-000000000046”. In registry this value refers to Internet Explorer.

lab0103_CLSID
Figure 2. 2DF01-0000-0000-C000-000000000046; InternetExplorer
iwebbrowser
Figure 3. D30C1661-CDAF-11D0-8A3E-00C04FC9E26E; IWebBrowser2

The riid value is set to be “D30C1661-CDAF-11D0-8A3E-00C04FC9E26” which infers to IWebBrowser2 in the registry.

Tracing down the opcodes, we will see that a call was made with offset 2Ch, in Lab 01-03 I have explained how to derive what 2Ch offset represent. It is a Navigate function call. In short on execution, a browser will pop up with the URL “http://www.malwareanalysisbook.com/ad.html”being opened.

3. When will this program finish executing?

Once the browser pops up and display the website, the program terminates.

Advertisements
PRACTICAL MALWARE ANALYSIS: ANALYZING MALICIOUS WINDOWS PROGRAMS (LAB 7-02)

One thought on “PRACTICAL MALWARE ANALYSIS: ANALYZING MALICIOUS WINDOWS PROGRAMS (LAB 7-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s