PRACTICAL MALWARE ANALYSIS: OLLYDBG (LAB 9-03)

Tools Used

  1. IDA Pro

Sample:

  1. Lab09-03.exe SHA256: 1fc6a471b2a46cd882246d5bdc9d5954bf8efacf68b4e549a9756e6616848884
  2. DLL1.dll SHA256: 5ac89a17fc6225416cde2c3935c277fa9b9db51f5690285e7d565d04719abdce
  3. DLL2.dll SHA256: 9151b583754221ae1bf764d24edfd7c3a4c0377b4118d4d0e13615124059de8c
  4. DLL3.dll SHA256: 2ec8e8f63f298da249268cb6ea347934d200ed75c06886f4f310f4e14d6ebecc

VirusTotal:

  • Detection Rate: 4/54 (1), 4/54 (2), 4/54 (3), 4/54 (4)
  • Analyzed on 2016-03-05
  • Compilation Date: 2011-05-16 20:43:56(1), 2011-10-01 18:25:55(2), 2011-10-01 18:25:56(3),  2011-10-01 18:26:01(4)
  • View report here(1) & here(2) & here(3) & here(4)

Lab 9-3
Analyze the malware found in the file Lab09-03.exe using OllyDbg and IDA Pro.
This malware loads three included DLLs (DLL1.dll, DLL2.dll, and DLL3.dll)
that are all built to request the same memory load location. Therefore, when
viewing these DLLs in OllyDbg versus IDA Pro, code may appear at different
memory locations. The purpose of this lab is to make you comfortable with
finding the correct location of code within IDA Pro when you are looking at
code in OllyDbg.
Questions
1. What DLLs are imported by Lab09-03.exe?

imports
Figure 1. imports

From IDA Pro we can see that DLL1, Dll2, KERNEL32 and NETAPI32 is imported by the malware. During runtime we can see more dlls being imported.

olly
Figure 2. DLL3.dll being imported during runtime

2. What is the base address requested by DLL1.dll, DLL2.dll, and DLL3.dll?

Loading the dll in IDA Pro we can see the base address that each dll requests for. Turns out that all 3 dlls requests for the same image base at address 0x10000000.

imagebase
Figure 3. Imagebase: 0x10000000

3. When you use OllyDbg to debug Lab09-03.exe, what is the assigned based
address for: DLL1.dll, DLL2.dll, and DLL3.dll?

From figure 2, we can observe that the base address for DLL1.dll is @0x10000000, DLL2.dll is @0x330000 and DLL3.dll is @0x390000.

4. When Lab09-03.exe calls an import function from DLL1.dll, what does
this import function do?

callDLL
Figure 4. Calling DLL1Print
printf
Figure 5. DLL1Print

From figure 4, we can see that DLL1Print is called. In figure 1, we can see that DLL1Print is imported from DLL1.dll. Opening DLL1.dll in IDA Pro, we can conclude that DLL 1 mystery data %d\n is printed out. However %d is filled with values in dword_1008030 a global variable. xref check on this global variable suggests that it is being set by @0x10001009.

processid
Figure 6. Setting global variable with process id

The above figure shows that once the dll is loaded, it will query its own process id and set the global variable dword_1008030 to the retrieved process id. To conclude DLL1Print will print out “DLL 1 mystery data [CurrentProcess ID]“.

5. When Lab09-03.exe calls WriteFile, what is the filename it writes to?

writefile
Figure 7. File Handle from DLL2ReurnJ

Analyzing Lab09-03.exe, we can see that the File Handle is retrieved from DLL2ReurnJ subroutine (imported from DLL2.dll)

dll2return
Figure 8. DLL2ReturnJ

From the above image, DLL2ReturnJ returns a global variable taken from dword_1000B078.

globalDLL2
Figure 9. DLL2’s DLLMain

From the above image, things become clear. The returned File Handle points to temp.txt.

6. When Lab09-03.exe creates a job using NetScheduleJobAdd, where does it get
the data for the second parameter?

According to msdn, NetScheduleJobAdd submits a job to run at a specified future time and date. The second parameter is a pointer to a AT_INFO Structure

NET_API_STATUS NetScheduleJobAdd(
  _In_opt_ LPCWSTR Servername,
  _In_     LPBYTE  Buffer,
  _Out_    LPDWORD JobId
);

 

getstructure
Figure 10. AT_INFO structure

From Lab09-03.exe we can see that it is loading a dll dynamically during runtime by first calling LoadLibraryA(“DLL3.dll”) then GetProcAddress(“DLL3Print”) to get the pointer to the export function. The pointer is then called to get the AT_INFO structure.

struct
Figure 11. Get AT_INFO Structure

7. While running or debugging the program, you will see that it prints out
three pieces of mystery data. What are the following: DLL 1 mystery
data 1, DLL 2 mystery data 2, and DLL 3 mystery data 3?

  • DLL 1 mystery data prints out the current process id
  • DLL 2 mystery data prints out the CreateFileA’s handle
  • DLL 3 mystery data prints out the decimal value of the address to the command string “ping http://www.malwareanalysisbook.com”

8. How can you load DLL2.dll into IDA Pro so that it matches the load
address used by OllyDbg?

manual
Figure 12. Manual Load

Select Manual Load checkbox when opening DLL2.dll in IDA Pro. You will be prompted to enter new image base address.

Advertisements
PRACTICAL MALWARE ANALYSIS: OLLYDBG (LAB 9-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s