PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-02)

Tools Used

  1. IDA Pro
  2. Procmon
  3. Process Monitor
  4. Cerbero Profiler

Sample:

  1. Lab12-02.exe SHA256: ae8a1c7eb64c42ea2a04f97523ebf0844c27029eb040d910048b680f884b9dce

VirusTotal:

  • Detection Rate: 43/56
  • Analyzed on 2016-03-12
  • Compilation Date: 2011-04-08 17:54:23
  • View report here

Lab 12-2
Analyze the malware found in the file Lab12-02.exe.
Questions
1. What is the purpose of this program?

Based on dynamic analysis results using procmon and process explorer, we can conclude that this is a keylogger that performs process hollowing on svchost.exe.

procmon
Figure 1. Write file to practicalmalwareanalysis.log
logs
Figure 2. Keystrokes in log file

2. How does the launcher program hide execution?

The subroutine @0x004010EA is highly suspicious. It is trying to create a process in suspended state, calls UnmapViewOfSection to unmap the original code and tries to write process memory in it. Finally it resumes the process. This is a recipe for process hollowing technique in which the running process will look like svchost.exe (in this case) but it is actually running something else instead.

createprocess
Figure 3. Create Suspended process, unmap memory
hollowing
Figure 4. WriteProcessMemory, ResumeThread

 

3. Where is the malicious payload stored?

In the resource, we can see a suspicious looking payload. IDA Pro further confirmed that this is the payload that will be extracted out.

resource
Figure 5. Resource with lots of As in it
resource_ida
Figure 6. Find Resource

4. How is the malicious payload protected?

By analyzing the find resource function @0x0040132C we will come across the following codes that suggests to us that the payload is XOR by “A”.

xor
Figure 7. XOR by A

5. How are strings protected?

The strings are in plain… correct me if i am wrong

strings
Figure 8. Strings in plain
Advertisements
PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s