- IDA Pro
- Lab09-02.exe SHA256: f153dfacec09dd69809c3bbf68270a38ee3701f44220c7bf181c14a68c138133
- Detection Rate: 17/54
- Analyzed on 2016-03-05
Compilation Date: 2011-04-30 16:41:06
- View report here
Analyze the malware found in the file Lab09-02.exe using OllyDbg to answer
the following questions.
1. What strings do you see statically in the binary?
2. What happens when you run this binary?
The program just terminates without doing anything.
3. How can you get this sample to run its malicious payload?
From the above flow graph in main function, we can see that the binary retrieves its own executable name via GetModuleFileNameA. It then strip the path using _strrchr. The malware then compares the filename with “ocl.exe”. It it doesn’t match, the malware will terminates. Therefore to run the malware we must name it as “ocl.exe”.
4. What is happening at 0x00401133?
We can see in the opcode that a string is formed character by character. The string is “1qaz2wsx3edc”. The way the author created the string prevented IDA Pro from displaying it as a normal string.
5. What arguments are being passed to subroutine 0x00401089?
From the above ollydbg image, we can see that the string “1qaz2wsx3edc” is passed in to the subroutine 0x00401089. An unknown pointer (0x0012FD90) is also passed in.
Stepping into the subroutine, you will realize that the malware is trying to decode a string(0x0012FD90) with the xor key (1qaz2wsx3edc). As shown above, we can start to see the decoded string taking shape.
6. What domain name does this malware use?
7. What encoding routine is being used to obfuscate the domain name?
As mentioned in question 5, XOR is used to obfuscate the domain name.
8. What is the significance of the CreateProcessA call at 0x0040106E?
The first block shows that we get the decoded domain name and get the ip by using gethostbyname . In the second block, we can see that it is trying to connect to the derived ip at port 9999. In the third block, we can see that socket s is passed into the CommandExecution subroutine as last argument.
From the above figure, we can see that the StartupInfo’s hStdInput, hStdOutput, hStdError now points to the socket s. In other words, all input and output that we see in cmd.exe console will now be transmitted over the network. The CreateProcessA call for cmd.exe and is hidden via wShowWindow flag set to SW_HIDE(0). What it all meant was that a reverse shell is spawned to receive commands from the attacker’s server.