PRACTICAL MALWARE ANALYSIS: OLLYDBG (LAB 9-02)

Tools Used

  1. IDA Pro
  2. ollydbg

Sample:

  1. Lab09-02.exe SHA256: f153dfacec09dd69809c3bbf68270a38ee3701f44220c7bf181c14a68c138133

VirusTotal:

  • Detection Rate: 17/54
  • Analyzed on 2016-03-05
  • Compilation Date: 2011-04-30 16:41:06
  • View report here

Lab 9-2
Analyze the malware found in the file Lab09-02.exe using OllyDbg to answer
the following questions.
Questions
1. What strings do you see statically in the binary?

strings
Figure 1. Strings

Nothing useful…

2. What happens when you run this binary?

The program just terminates without doing anything.

3. How can you get this sample to run its malicious payload?

checkocl
Figure 1. ocl.exe

From the above flow graph in main function, we can see that the binary retrieves its own executable name via GetModuleFileNameA. It then strip the path using _strrchr. The malware then compares the filename with “ocl.exe”. It it doesn’t match, the malware will terminates. Therefore to run the malware we must name it as “ocl.exe”.

4. What is happening at 0x00401133?

1qaz2wsx4edc
Figure 2. some passphrase?

We can see in the opcode that a string is formed character by character. The string is “1qaz2wsx3edc”. The way the author created  the string prevented IDA Pro from displaying it as a normal string.

5. What arguments are being passed to subroutine 0x00401089?

gethostname
Figure 3. GetHostName

From the above ollydbg image, we can see that the string “1qaz2wsx3edc” is passed in to the subroutine 0x00401089. An unknown pointer (0x0012FD90) is also passed in.

xor
Figure 4. XOR decoding

Stepping into the subroutine, you will realize that the malware is trying to decode a string(0x0012FD90) with the xor key (1qaz2wsx3edc). As shown above, we can start to see the decoded string taking shape.

6. What domain name does this malware use?

practical.PNG
Figure 5. Domain Decoded

http://www.practicalmalwareanalysis.com

7. What encoding routine is being used to obfuscate the domain name?

As mentioned in question 5, XOR is used to obfuscate the domain name.

8. What is the significance of the CreateProcessA call at 0x0040106E?

reverseShell
Figure 6. connecting to practicalmalwareanalysis.com:9999

The first block shows that we get the decoded domain name and get the ip by using gethostbyname . In the second block, we can see that it is trying to connect to the derived ip at port 9999.  In the third block, we can see that socket s is passed into the CommandExecution subroutine as last argument.

commandexe
Figure 7. passing io to socket

From the above figure, we can see that the StartupInfo’s hStdInput, hStdOutput, hStdError now points to the socket s. In other words, all input and output that we see in cmd.exe console will now be transmitted over the network. The CreateProcessA call for cmd.exe and is hidden via wShowWindow flag set to SW_HIDE(0). What it all meant was that a reverse shell is spawned to receive commands from the attacker’s server.

Advertisements
PRACTICAL MALWARE ANALYSIS: OLLYDBG (LAB 9-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s