PRACTICAL MALWARE ANALYSIS: MALWARE BEHAVIOR(LAB 11-03)

Tools Used

  1. IDA Pro
  2. Procmon
  3. Ollydbg
  4. Process Explorer

Sample:

  1. Lab11-03.exe SHA256: bf023ff344efe2db0e0a963869368f0ef352764666bc368ad61b7a4c1d9f5975
  2. Lab11-03.dll SHA256: f11fa868ac3dee1e5fbd985fe15ba6d34c7ec0abb47babe0d34a35514c49c86a

VirusTotal:

  • Detection Rate: 19/56(1) & 5/56(2)
  • Analyzed on 2016-03-12
  • Compilation Date: 2011-11-19 16:34:41(1) & 2011-11-08 22:33:33(2)
  • View report here(1) & here(2)

Lab 11-3
Analyze the malware found in Lab11-03.exe and Lab11-03.dll. Make sure that
both files are in the same directory during analysis.
Questions
1. What interesting analysis leads can you discover using basic static
analysis?

Lab11-03.exe

netstart
Figure 1. Installation

The main method in Dll11-03.exe is pretty straight forward. It first copy the Lab11-03.dll to C:\\Windows\\System32\\inet_epar32.dll. It then attempts to modify C:\\Windows\\System32\\cisvc.exe and executes the infected executable by starting a service via the command “net start cisvc

Lab11-03.dll

The dll contains some interesting stuff… In export, we can see a suspicious looking function; zzz69806582.

dllExport
Figure 2. Export function surface a funny function

The imports contains GetAsyncKeyState and GetForegroundWindow which highly suggests that this is a keylogger.

imports
Figure 3. imports

The function @zzz69806582 is pretty simple. It just creates a thread.

zzz
Figure 3. function zzz69806582

The thread that the above function creates first check for mutex; MZ.

It then create a file @ C:\\Windows\\System32\\kernel64x.dll.

mutex_and_files
Figure 4.Mutex MZ

Next, the thread calls a subroutine to record keystrokes.

keylogs
Figure 5. Keylogs

2. What happens when you run this malware?

As answered in question 1, It first copy the Lab11-03.dll to C:\\Windows\\System32\\inet_epar32.dll. It then attempts to modify C:\\Windows\\System32\\cisvc.exe and executes the infected executable by starting a service via the command “net start cisvc

The infected service then begin to log keystroke and save it in C:\\Windows\\System32\\kernel64x.dll.

procmon
Figure 6. Procmon showing file creation in infected system

3. How does Lab11-03.exe persistently install Lab11-03.dll?

It infects C:\\Windows\\System32\\cisvc.exe; an indexing service by inserting shellcodes into the program. The infected cisvc.exe will load C:\\Windows\\System32\\inet_epar.dll as shown in the figure below.

loadlibrary
Figure 7. LoadLibrary

Comparing the infected executable with the original one, we could see some additional functions added to it. On top of that we can observe that the entry point has been changed.

additional functions
Figure 8. Additional Functions
compare
Figure 9. Changes in Entry Point

4. Which Windows system file does the malware infect?

It infects C:\\Windows\\System32\\cisvc.exe.

dll
Figure 10. inet_epar32.dll loaded in cisvc.exe

5. What does Lab11-03.dll do?

Using GetAsyncKeyState and GetForegroundWindow, the dll logs keystrokes into  C:\\Windows\\System32\\kernel64x.dll. The dll also uses a mutex “MZ” to prevent multiple instances of the keylogger is running at once.

mutex
Figure 11. Mutex MZ

6. Where does the malware store the data it collects?

In C:\\Windows\\System32\\kernel64x.dll

keylogsCaptured
Figure 12. Key Logs Captured
Advertisements
PRACTICAL MALWARE ANALYSIS: MALWARE BEHAVIOR(LAB 11-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s