PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-01)

Tools Used

  1. IDA Pro
  2. Process Explorer

Sample:

  1. Lab12-01.exe SHA256: 1fb3c4a9109ef171fa67bdf90e67f09ef25b5a1d401dc20dc45cfccf1e4fbd99
  2. Lab12-01.dll SHA256: 0ea89a83b84b8d20e259bacb6b0d1b176c8327f097c54749ae832981f2a0095a

VirusTotal:

  • Detection Rate: 40/56(1) & 4/56(2)
  • Analyzed on 2016-03-12
  • Compilation Date: 2011-11-05 22:28:28(1) & 2011-03-26 22:16:59(2)
  • View report here(1) & here(2)

Lab 12-1
Analyze the malware found in the file Lab12-01.exe and Lab12-01.dll. Make
sure that these files are in the same directory when performing the analysis.
Questions
1. What happens when you run the malware executable?

A Message box with a incremental number in its title pops up every now and then…

MessageBox
Figure 1. Message Box

2. What process is being injected?

In the imports table, CreateRemoteThread is used by the exe which highly suggests that the malware might be injecting DLL into processes.

imports
Figure 2. CreateRemoteThread in imports

“explorer.exe” is found in the list of string. X-ref the string and we will come to the following subroutine. Seems like explorer.exe is being targeted to be injected with the malicious dll.

explorer
Figure 3. explorer.exe

We can confirm our suspicion using process explorer as shown below.

injeted
Figure 4. Explorer.exe injected with dll

3. How can you make the malware stop the pop-ups?

Kill explorer.exe and re-run it again

4. How does this malware operate?

Lab12-01.exe

The malware begins by using psapi.dll’s EnumProcesses to loop through all running processes. Also note that it attempts to form the absolute path for the malicious dll. This will be used later to inject the dll in remote processes.

part1
Figure 5. EnumPorcesses

While looping through the processes only “explorer.exe” will be injected. The following figure shows the filtering taking place.

check
Figure 6. Check for explorer.exe

Once the malware located the “explorer.exe” process, it will ask the remote process (explorer.exe) to allocate a heap space. The space will contains the malicious dll’s absolute path as mentioned earlier. It will then get the LoadLibraryA address of explorer.exe and triggers the function via CreateRemoteThread. Explorer.exe will then invoke LoadLibraryA with the input as the malicious dll’s absolute path which is already in its heap memory and that is how explorer.exe got injected. =)

part2
Figure 7. Injecting

Lab12-01.dll

The DllMain first creates a thread @ subroutine 0x1001030.

createThread
Figure 8. Create Thread

Inside this subroutine, we will find a infinite loop popping a message box every 1 minute. The title of the message box is “Practical Malware Analysis %d” where %d is the value of the loop counter.

popMsg
Figure 9. Popping MsgBox every minute

 

Advertisements
PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s