- IDA Pro
- proc mon
- Lab09-01.exe SHA256: 6ac06dfa543dca43327d55a61d0aaed25f3c90cce791e0555e3e306d47107859
- Detection Rate: 24/54
- Analyzed on 2016-03-04
Compilation Date: 2011-10-18 18:46:44
- View report here
Analyze the malware found in the file Lab09-01.exe using OllyDbg and IDA
Pro to answer the following questions. This malware was initially analyzed in
the Chapter 3 labs using basic static and dynamic analysis techniques.
1. How can you get this malware to install itself?
To install this malware, we need to reach the function @0x00402600. In this function, we can see function call to OpenSCManagerA, ChangeServiceConfigA, CreateServiceA, CopyFileA and registry creation. All these are functions to make the malware persistence.
To get to the install function @0x00402600 we would need to run this malware with either 2 or 3 arguments (excluding program name). We would need to enter a correct passcode as the last argument and “-in” as the 1st argument.
To decipher the passcode, we look at the function @0x00402510. The passcode length must be 4 characters. After analyzing the function, the passcode is “abcd“.
We can also choose to patch the following opcode “jnz” to “jz” at address 0x00402B38 to bypass the passcode check.
To install the malware just execute it as “Lab09-01.exe -in abcd” or if you want to install it with a custom service name such as jmpRSP, you may execute it as “Lab09-01.exe -in jmpRSP abcd“.
2. What are the command-line options for this program? What is the password
The 4 command line accepted by the program are
- -in; install
- -re; uninstall
- -cc; parse registry and prints it out
- -c; set Registry
The password for this malware to execute is “abcd”. Analyzing the function @0x00402510, we can easily derive this password. The below image contains comments that explains how I derived that the passcode is “abcd”.
3. How can you use OllyDbg to permanently patch this malware, so that it
doesn’t require the special command-line password?
As mentioned in Question 1, we just need to patch 0x00402B38 to jz. To patch the malware in ollydbg, run the program in ollydbg and go to the address 0x00402B38.
Right click on the address and press Ctrl-E (edit binary). Change the hex from 75 to 74 as shown below.
The next step is to save the changes. Right click in the disassembly window and select copy to executable -> all modifications. Then proceed to save into a file.
4. What are the host-based indicators of this malware?
To answer this question lets look at the dynamic analysis observations and IDA Pro codes.
- HKLM\\SOFTWARE\\Microsoft \\XPS\\Configuration
- Lab09-01_patched Manager Service
Note: there are 2 ways to install this malware as mentioned in question 1. The first way is to install it without passing in a Name as an argument. If that is the case, the malware will use its current executable name to name the service and drop itself in system32 folder as seen from the above images.
The second way, is to pass in a [NAME] as an argument. If that is the case the service name will be named as [NAME] Manager Service and the dropped file will also be named as [NAME].exe.
5. What are the different actions this malware can be instructed to take via
If no argument is passed into the executable, the malware will call the function @0x00402360. This function will parse the registry “HKLM\\SOFTWARE\\Microsoft \\XPS\\Configuration and call function 0x00402020 to execute the malicious functions.
Analyzing the function @0x00402020, we can conclude that the malware is capable of doing the following tasks
- Upload (save a file to the victim machine)
- Download (extract out a file from the victim machine)
- Execute Command
- Do Nothing
6. Are there any useful network-based signatures for this malware?
From wireshark, we can see that the malware is attempting to retrieve commands from http://www.practicalmalwareanalysis.com. A random page(xxxx/xxx.xxx) is retrieved from the server using HTTP/1.0. Note that the evil domain can be changed, therefore by fixing the network based signature to just practicalmalwareanalysis.com is not sufficient.