- IDA Pro
- Proc Mon
- Cerbero Profiler
- Lab11-01.exe SHA256: 57d8d248a8741176348b5d12dcf29f34c8f48ede0ca13c30d12e5ba0384056d7
- msgina32.dll SHA256: f8a4f61bccd5bab1cad0ab9e57f6f3092a8bd4dd0adfcd4853e89ba96afc93f9
- Detection Rate: 36/56(1) & 34/56(2)
- Analyzed on 2016-03-10
Compilation Date: 2011-11-06 18:55:06(1) & 2008-06-16 03:25:54(2)
- View report here(1) & here(2)
Analyze the malware found in Lab11-01.exe.
1. What does the malware drop to disk?
There is a binary in the resource section of Lab11-01.exe.
From Proc Mon we can observe that msgina32.dll and software.LOG are dropped on the machine.
2. How does the malware achieve persistence?
In figure 2, the malware adds “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL” into the registry.
According to MSDN, Winlogon, the GINA, and network providers are the parts of the interactive logon model. The interactive logon procedure is normally controlled by Winlogon, MSGina.dll, and network providers. To change the interactive logon procedure, MSGina.dll can be replaced with a customized GINA DLL. Winlogon will trigger the use of the malicious dll and that is how the malware achieve persistency.
|WlxActivateUserShell||Activates the user shell program.|
|WlxDisplayLockedNotice||Allows the GINA to display information about the lock, such as who locked the workstation and when it was locked.|
|WlxDisplaySASNotice||Winlogon calls this function when no user is logged on.|
|WlxDisplayStatusMessage||Winlogon calls this function when the GINA DLL should display a message.|
|WlxGetConsoleSwitchCredentials||Winlogon calls this function to read the currently logged on user’s credentials to transparently transfer them to a target session.|
|WlxGetStatusMessage||Winlogon calls this function to get the status message being displayed by the GINA DLL.|
|WlxInitialize||Winlogon calls this function once for each window station present on the computer. Currently, the operating system supports one window station per workstation.|
|WlxIsLockOk||Winlogon calls this function before attempting to lock the workstation.|
|WlxIsLogoffOk||Winlogon calls this function when the user initiates a logoff operation.|
|WlxLoggedOnSAS||Winlogon calls this function when it receives a secure attention sequence (SAS) event while the user is logged on and the workstation is not locked.|
|WlxLoggedOutSAS||Winlogon calls this function when it receives a secure attention sequence (SAS) event while no user is logged on.|
|WlxLogoff||Winlogon calls this function to notify the GINA of a logoff operation on this workstation, allowing the GINA to perform any logoff operations that may be required.|
|WlxNegotiate||The WlxNegotiate function must be implemented by a replacement GINA DLL. This is the first call made by Winlogon to the GINA DLL. WlxNegotiate allows the GINA to verify that it supports the installed version of Winlogon.|
|WlxNetworkProviderLoad||Winlogon calls this function to collect valid authentication and identification information.|
|WlxRemoveStatusMessage||Winlogon calls this function to tell the GINA DLL to stop displaying the status message.|
|WlxScreenSaverNotify||Winlogon calls this function immediately before a screen saver is activated, allowing the GINA to interact with the screen saver program.|
|WlxShutdown||Winlogon calls this function just before shutting down, allowing the GINA to perform any shutdown tasks, such as ejecting a smart card from a reader.|
|WlxStartApplication||Winlogon calls this function when the system needs an application to be started in the context of the user.|
|WlxWkstaLockedSAS||Winlogon calls this function when it receives a secure attention sequence (SAS) and the workstation is locked.|
3. How does the malware steal user credentials?
Looking at the dropped dll’s export, it seems like it is a custom dll to hook to the winlogon process.
After checking through the exports function, only 1 function (WlxLoggedOutSAS) behaves suspiciously. The rest simply pass the inputs to the original function address.
The above figure is pretty straight forward, the inputs are passed to the original WlxLoggedOutSAS function and a copy of the inputs are passed to a function to write to a file.
4. What does the malware do with stolen credentials?
The above figure shows the malicious dll writing the stolen values into c:\windows\system32\msutil32.sys file.
5. How can you use this malware to get user credentials from your test
By rebooting the machine or by logging off and re-login again. c:\windows\system32\msutil32.sys will contains the password used to login to the windows.