- IDA Pro
- Lab12-04.exe SHA256: e2aed4398e0178670d9678961ca89a0f15a3eac20f396bdf29de8ac66cb853fa
- Detection Rate: 44/56
- Analyzed on 2016-03-13
Compilation Date: 2011-02-27 01:02:43
- View report here
Analyze the malware found in the file Lab12-04.exe.
1. What does the code at 0x401000 accomplish?
the subroutine check if the process with the given process id is Winlogon.exe. If it is, it returns 1 else it returns 0.
2. Which process has code injected?
Winlogon.exe is being targeted for injection. Subroutine @0x00401174 is responsible for process injection via CreateRemoteThread. If we trace back, we can see that only winlogon’s pid is being passed to the subroutine.
3. What DLL is loaded using LoadLibraryA?
4. What is the fourth argument passed to the CreateRemoteThread call?
Based on figure 3, the fourth argument is lpStartAddress in which if we were to trace up we will uncover that lpStartAddress is the address return by GetProcAddress(LoadLibraryA(“sfc_os.dll”),2).
Loading sfc_os.dll in ida pro we can see the exports that points to ordinal 2 which resovles to SfcTerminateWatcherThread() as shown in figure 5..
5. What malware is dropped by the main executable?
Analyzing the main method, we can see file movement from “C:\WINDOWS\system32\wupdmgr.exe” to a temp folder “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\winup.exe”
The following subroutine is then called to extract the resource out from the executable and using it to replace “C:\WINDOWS\system32\wupdmgr.exe”
6. What is the purpose of this and the dropped malware?
Apparently in order for SfcTerminateWatcherThread() to work, the caller must be from winlogon.exe. That explains why the malware goes through the trouble in looping through all running threads to locate winlogon.exe and it even attempts to get higher privileges by using AdjustTokenPrivileges to change token privilege to seDebugPrivilige. With the higher privilege, the malware then calls CreateRemoteThread to ask Winlogon to invoke SfcTerminateWatcherThread(). With that, file protection mechanism will be disabled and the malware can freely change the system protected files until the next reboot.
The dropped malware in “C:\\windows\\system32\\wupdmgr.exe” executes the original wupdmgr.exe (which is now in the temp folder) and it attempts to download new malware from “http://www.practicalmalwareanalysis.com/updater.exe” and save it as “C:\\windows\\system32\\wupdmgr.exe”