Tools Used

  1. IDA Pro
  2. OllyDbg
  3. regshot
  4. wireshark
  5. proc mon


  1. Lab09-01.exe SHA256: 6ac06dfa543dca43327d55a61d0aaed25f3c90cce791e0555e3e306d47107859


  • Detection Rate: 24/54
  • Analyzed on 2016-03-04
  • Compilation Date: 2011-10-18 18:46:44
  • View report here

Lab 9-1
Analyze the malware found in the file Lab09-01.exe using OllyDbg and IDA
Pro to answer the following questions. This malware was initially analyzed in
the Chapter 3 labs using basic static and dynamic analysis techniques.
1. How can you get this malware to install itself?

To install this malware, we need to reach the function @0x00402600. In this function, we can see function call to OpenSCManagerA, ChangeServiceConfigA, CreateServiceA, CopyFileA and registry creation. All these are functions to make the malware persistence.

To get to the install function @0x00402600 we would need to run this malware with either 2 or 3 arguments (excluding program name). We would need to enter a correct passcode as the last argument and “-in” as the 1st argument.

To decipher the passcode, we look at the function @0x00402510. The passcode length must be 4 characters. After analyzing the function, the passcode is “abcd“.

We can also choose to patch the following opcode “jnz” to “jz” at address 0x00402B38 to bypass the passcode check.

Figure 1. Patch 0x00402B38 to jz

To install the malware just execute it as “Lab09-01.exe -in abcd” or if you want to install it with a custom service name such as jmpRSP, you may execute it as  “Lab09-01.exe -in jmpRSP abcd“.

2. What are the command-line options for this program? What is the password

The 4 command line accepted by the program are

  1. -in; install
  2. -re; uninstall
  3. -cc; parse registry and prints it out
  4. -c; set Registry

The password for this malware to execute is “abcd”. Analyzing the function @0x00402510, we can easily derive this password. The below image contains comments that explains how I derived that the passcode is “abcd”.

Figure 2. Deriving the passcode

3. How can you use OllyDbg to permanently patch this malware, so that it
doesn’t require the special command-line password?

As mentioned in Question 1, we just need to patch 0x00402B38 to jz. To patch the malware in ollydbg, run the program in ollydbg and go to the address 0x00402B38.

Figure 3. Go to 0x00402B38

Right click on the address and press Ctrl-E (edit binary). Change the hex from 75 to 74 as shown below.

Figure 4. Edit Binary
Figure 5. Opcode edited to jz

The next step is to save the changes. Right click in the disassembly window and select copy to executable -> all modifications. Then proceed to save into a file.

4. What are the host-based indicators of this malware?

To answer this question lets look at the dynamic analysis observations and IDA Pro codes.

Figure 6. Registry trails in IDA Pro
Figure 7. Proc Mon captured WriteFile and RegSetValue
Figure 8. Regshot captured registry creation and service creation
Figure 9. The service created in registry
Figure 10. Services.msc
  1. HKLM\\SOFTWARE\\Microsoft \\XPS\\Configuration
  2. Lab09-01_patched Manager Service
  3. %SYSTEMROOT%\\system32\\Lab09-01_patched.exe

Note: there are 2 ways to install this malware as mentioned in question 1. The first way is to install it without passing in a Name as an argument. If that is the case, the malware will use its current executable name to name the service and drop itself in system32 folder as seen from the above images.

The second way, is to pass in a [NAME] as an argument. If that is the case the service name will be named as [NAME] Manager Service and the dropped file will also be named as [NAME].exe.

5. What are the different actions this malware can be instructed to take via
the network?

If no argument is passed into the executable, the malware will call the function @0x00402360. This function will parse the registry “HKLM\\SOFTWARE\\Microsoft \\XPS\\Configuration and call function 0x00402020 to execute the malicious functions.

Analyzing the function @0x00402020, we can conclude that the malware is capable of doing the following tasks

  1. Sleep
  2. Upload (save a file to the victim machine)
  3. Download (extract out a file from the victim machine)
  4. Execute Command
  5. Do Nothing

6. Are there any useful network-based signatures for this malware?

Figure 11. Network Traffic

From wireshark, we can see that the malware is attempting to retrieve commands from A random page(xxxx/ is retrieved from the server using HTTP/1.0. Note that the evil domain can be changed, therefore by fixing the network based signature to just is not sufficient.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s