- IDA Pro
- Process Explorer
- Lab11-03.exe SHA256: bf023ff344efe2db0e0a963869368f0ef352764666bc368ad61b7a4c1d9f5975
- Lab11-03.dll SHA256: f11fa868ac3dee1e5fbd985fe15ba6d34c7ec0abb47babe0d34a35514c49c86a
- Detection Rate: 19/56(1) & 5/56(2)
- Analyzed on 2016-03-12
Compilation Date: 2011-11-19 16:34:41(1) & 2011-11-08 22:33:33(2)
- View report here(1) & here(2)
Analyze the malware found in Lab11-03.exe and Lab11-03.dll. Make sure that
both files are in the same directory during analysis.
1. What interesting analysis leads can you discover using basic static
The main method in Dll11-03.exe is pretty straight forward. It first copy the Lab11-03.dll to C:\\Windows\\System32\\inet_epar32.dll. It then attempts to modify C:\\Windows\\System32\\cisvc.exe and executes the infected executable by starting a service via the command “net start cisvc”
The dll contains some interesting stuff… In export, we can see a suspicious looking function; zzz69806582.
The imports contains GetAsyncKeyState and GetForegroundWindow which highly suggests that this is a keylogger.
The function @zzz69806582 is pretty simple. It just creates a thread.
The thread that the above function creates first check for mutex; MZ.
It then create a file @ C:\\Windows\\System32\\kernel64x.dll.
Next, the thread calls a subroutine to record keystrokes.
2. What happens when you run this malware?
As answered in question 1, It first copy the Lab11-03.dll to C:\\Windows\\System32\\inet_epar32.dll. It then attempts to modify C:\\Windows\\System32\\cisvc.exe and executes the infected executable by starting a service via the command “net start cisvc”
The infected service then begin to log keystroke and save it in C:\\Windows\\System32\\kernel64x.dll.
3. How does Lab11-03.exe persistently install Lab11-03.dll?
It infects C:\\Windows\\System32\\cisvc.exe; an indexing service by inserting shellcodes into the program. The infected cisvc.exe will load C:\\Windows\\System32\\inet_epar.dll as shown in the figure below.
Comparing the infected executable with the original one, we could see some additional functions added to it. On top of that we can observe that the entry point has been changed.
4. Which Windows system file does the malware infect?
It infects C:\\Windows\\System32\\cisvc.exe.
5. What does Lab11-03.dll do?
Using GetAsyncKeyState and GetForegroundWindow, the dll logs keystrokes into C:\\Windows\\System32\\kernel64x.dll. The dll also uses a mutex “MZ” to prevent multiple instances of the keylogger is running at once.
6. Where does the malware store the data it collects?