- IDA Pro
- Process Explorer
- Lab12-01.exe SHA256: 1fb3c4a9109ef171fa67bdf90e67f09ef25b5a1d401dc20dc45cfccf1e4fbd99
- Lab12-01.dll SHA256: 0ea89a83b84b8d20e259bacb6b0d1b176c8327f097c54749ae832981f2a0095a
- Detection Rate: 40/56(1) & 4/56(2)
- Analyzed on 2016-03-12
Compilation Date: 2011-11-05 22:28:28(1) & 2011-03-26 22:16:59(2)
- View report here(1) & here(2)
Analyze the malware found in the file Lab12-01.exe and Lab12-01.dll. Make
sure that these files are in the same directory when performing the analysis.
1. What happens when you run the malware executable?
A Message box with a incremental number in its title pops up every now and then…
2. What process is being injected?
In the imports table, CreateRemoteThread is used by the exe which highly suggests that the malware might be injecting DLL into processes.
“explorer.exe” is found in the list of string. X-ref the string and we will come to the following subroutine. Seems like explorer.exe is being targeted to be injected with the malicious dll.
We can confirm our suspicion using process explorer as shown below.
3. How can you make the malware stop the pop-ups?
Kill explorer.exe and re-run it again
4. How does this malware operate?
The malware begins by using psapi.dll’s EnumProcesses to loop through all running processes. Also note that it attempts to form the absolute path for the malicious dll. This will be used later to inject the dll in remote processes.
While looping through the processes only “explorer.exe” will be injected. The following figure shows the filtering taking place.
Once the malware located the “explorer.exe” process, it will ask the remote process (explorer.exe) to allocate a heap space. The space will contains the malicious dll’s absolute path as mentioned earlier. It will then get the LoadLibraryA address of explorer.exe and triggers the function via CreateRemoteThread. Explorer.exe will then invoke LoadLibraryA with the input as the malicious dll’s absolute path which is already in its heap memory and that is how explorer.exe got injected. =)
The DllMain first creates a thread @ subroutine 0x1001030.
Inside this subroutine, we will find a infinite loop popping a message box every 1 minute. The title of the message box is “Practical Malware Analysis %d” where %d is the value of the loop counter.