- IDA Pro
- Lab11-02.dllSHA256: df899256c4a9fc0e550c62b84ab9cb8acd8d18683f0a41c98ba83f0487d4766e
- Detection Rate: 8/54
- Analyzed on 2016-03-11
Compilation Date: 2011-11-06 21:50:12
- View report here
Analyze the malware found in Lab11-02.dll. Assume that a suspicious file
named Lab11-02.ini was also found with this malware.
1. What are the exports for this DLL malware?
2. What happens after you attempt to install this malware using
The malware add a registry value in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLS.
It then copy itself; the dll as C:\Windows\System32\spoolvxx32.dll.
The malware then tries to open C:\Windows\System32\Lab11-02.ini.
3. Where must Lab11-02.ini reside in order for the malware to install
The malware will attempt to load the config from C:\Windows\System32\Lab11-02.ini. We would need to place the ini file in system32 folder.
4. How is this malware installed for persistence?
According to MSDN, AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. By adding AppInit_DLLs in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ we are loading the malicious DLL into each user mode process that gets executed on the system.
5. What user-space rootkit technique does this malware employ?
If we look at the subroutine @0x100012A3, you will see that it is attempting to get the address of send from wscock32.dll. It then pass the address to subroutine @0x10001203.
The subroutine @0x10001203 is employing the inline hook technique. It first get the offset from the hook position to the function where it wants to jump to. It then uses VirtualProtect to make 5 bytes of space from the start of the subroutine address to PAGE_EXECUTE_READWRITE. Once it is done it then rewrite the code to jmp to the hook function. Finally it reset the 5 bytes of memory space back to the old protection attributes.
However, the malware only hook 3 programs; THEBAT.EXE, OUTLOOK.EXE, MSIMM.EXE.
To conclude, the malware is attempting to do an inline hook on wsock32.dll’s send function for selected programs.
6. What does the hooking code do?
We first look at what the malware is retrieving from the config file.
After reading the data from the config file, the malware then decode it by calling the subroutine @0x100016CA. If we dive into this subroutine, you will realize that it is a xor decoding function. Let’s place a hook there in ollydbg to see what comes out.
This decoded string will be use in the following function.
The inline hook jumps to the above function. Its starts off with checking if the send buffer contains the string “RCPT TO”. If it does, it will create a new buffer “RCPT TO:<email@example.com>\r\n” and send it off via the original send function. The function will then end of by simply forwarding the original data to the send function.
7. Which process(es) does this malware attack and why?
As answered in quetsion 5… the malware only hook 3 programs; THEBAT.EXE, OUTLOOK.EXE, MSIMM.EXE. They are all email clients.
8. What is the significance of the .ini file?
As answered in question 5… the config.ini contains the encoded attacker email address. It is use to replace recipient address causing email to be send to the attacker instead.
9. How can you dynamically capture this malware’s activity with Wireshark?
Set up inetsim and just send an email from outlook express after installing the malware.