PRACTICAL MALWARE ANALYSIS: MALWARE BEHAVIOR(LAB 11-01)

Tools Used

  1. IDA Pro
  2. Proc Mon
  3. Cerbero Profiler

Sample:

  1. Lab11-01.exe SHA256: 57d8d248a8741176348b5d12dcf29f34c8f48ede0ca13c30d12e5ba0384056d7
  2. msgina32.dll SHA256: f8a4f61bccd5bab1cad0ab9e57f6f3092a8bd4dd0adfcd4853e89ba96afc93f9

VirusTotal:

  • Detection Rate: 36/56(1) & 34/56(2)
  • Analyzed on 2016-03-10
  • Compilation Date: 2011-11-06 18:55:06(1) & 2008-06-16 03:25:54(2)
  • View report here(1) & here(2)

Lab 11-1
Analyze the malware found in Lab11-01.exe.
Questions
1. What does the malware drop to disk?

resource.PNG
Figure 1. Binary resource in Lab11-01.exe’s TGAD

There is a binary in the resource section of Lab11-01.exe.

procmon
Figure 2. msgina32.dll dropped

From Proc Mon we can observe that msgina32.dll and software.LOG are dropped on the machine.

2. How does the malware achieve persistence?

In figure 2, the malware adds “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL” into the registry.

According to MSDNWinlogon, the GINA, and network providers are the parts of the interactive logon model. The interactive logon procedure is normally controlled by Winlogon, MSGina.dll, and network providers. To change the interactive logon procedure, MSGina.dll can be replaced with a customized GINA DLL. Winlogon will trigger the use of the malicious dll and that is how the malware achieve persistency.

It is also mentioned in this MSDN documentaion that a GINA DLL must export the following functions.

Function Description
WlxActivateUserShell Activates the user shell program.
WlxDisplayLockedNotice Allows the GINA to display information about the lock, such as who locked the workstation and when it was locked.
WlxDisplaySASNotice Winlogon calls this function when no user is logged on.
WlxDisplayStatusMessage Winlogon calls this function when the GINA DLL should display a message.
WlxGetConsoleSwitchCredentials Winlogon calls this function to read the currently logged on user’s credentials to transparently transfer them to a target session.
WlxGetStatusMessage Winlogon calls this function to get the status message being displayed by the GINA DLL.
WlxInitialize Winlogon calls this function once for each window station present on the computer. Currently, the operating system supports one window station per workstation.
WlxIsLockOk Winlogon calls this function before attempting to lock the workstation.
WlxIsLogoffOk Winlogon calls this function when the user initiates a logoff operation.
WlxLoggedOnSAS Winlogon calls this function when it receives a secure attention sequence (SAS) event while the user is logged on and the workstation is not locked.
WlxLoggedOutSAS Winlogon calls this function when it receives a secure attention sequence (SAS) event while no user is logged on.
WlxLogoff Winlogon calls this function to notify the GINA of a logoff operation on this workstation, allowing the GINA to perform any logoff operations that may be required.
WlxNegotiate The WlxNegotiate function must be implemented by a replacement GINA DLL. This is the first call made by Winlogon to the GINA DLL. WlxNegotiate allows the GINA to verify that it supports the installed version of Winlogon.
WlxNetworkProviderLoad Winlogon calls this function to collect valid authentication and identification information.
WlxRemoveStatusMessage Winlogon calls this function to tell the GINA DLL to stop displaying the status message.
WlxScreenSaverNotify Winlogon calls this function immediately before a screen saver is activated, allowing the GINA to interact with the screen saver program.
WlxShutdown Winlogon calls this function just before shutting down, allowing the GINA to perform any shutdown tasks, such as ejecting a smart card from a reader.
WlxStartApplication Winlogon calls this function when the system needs an application to be started in the context of the user.
WlxWkstaLockedSAS Winlogon calls this function when it receives a secure attention sequence (SAS) and the workstation is locked.

 

3. How does the malware steal user credentials?

Looking at the dropped dll’s export, it seems like it is a custom dll to hook to the winlogon process.

wlximports
Figure 3. WlxLoggedOutSAS

After checking through the exports function, only 1 function (WlxLoggedOutSAS) behaves suspiciously. The rest simply pass the inputs to the original function address.

wlxLoggedOut
Figure 4. Intercepting WlxLoggedOutSAS

The above figure is pretty straight forward, the inputs are passed to the original WlxLoggedOutSAS function and a copy of the inputs are passed to a function to write to a file.

4. What does the malware do with stolen credentials?

WriteToFile
Figure 5. Write to file

The above figure shows the malicious dll writing the stolen values into c:\windows\system32\msutil32.sys file.

5. How can you use this malware to get user credentials from your test
environment?

By rebooting the machine or by logging off and re-login again. c:\windows\system32\msutil32.sys will contains the password used to login to the windows.

captured
Figure 6. Captured Password
Advertisements
PRACTICAL MALWARE ANALYSIS: MALWARE BEHAVIOR(LAB 11-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s