PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-04)

Tools Used

  1. IDA Pro
  2. Ollydbg

Sample:

  1. Lab12-04.exe SHA256: e2aed4398e0178670d9678961ca89a0f15a3eac20f396bdf29de8ac66cb853fa

VirusTotal:

  • Detection Rate: 44/56
  • Analyzed on 2016-03-13
  • Compilation Date: 2011-02-27 01:02:43
  • View report here

Lab 12-4
Analyze the malware found in the file Lab12-04.exe.

Questions
1. What does the code at 0x401000 accomplish?

the subroutine check if the process with the given process id is Winlogon.exe. If it is, it returns 1 else it returns 0.

checkWinLogon
Figure 1. stricmp Winlogon.exe

2. Which process has code injected?

Winlogon.exe is being targeted for injection. Subroutine @0x00401174 is responsible for process injection via CreateRemoteThread. If we trace back, we can see that only winlogon’s pid is being passed to the subroutine.

winlogon
Figure 2. Winlogon Pid being pushed as argument to inject subroutine

3. What DLL is loaded using LoadLibraryA?

sfc_os.dll

sfc
Figure 3. sfc_os.dll

4. What is the fourth argument passed to the CreateRemoteThread call?

Based on figure 3, the fourth argument is lpStartAddress in which if we were to trace up we will uncover that lpStartAddress is the address return by GetProcAddress(LoadLibraryA(“sfc_os.dll”),2).

Loading sfc_os.dll in ida pro we can see the exports that points to ordinal 2 which resovles to SfcTerminateWatcherThread() as shown in figure 5..

sfc_2
Figure 4. sfc_os.dll’s ordinal 2
sfcterminate
Figure 5. SfcTerminateWatcherThread()

5. What malware is dropped by the main executable?

Analyzing the main method, we can see file movement from “C:\WINDOWS\system32\wupdmgr.exe” to a temp folder “C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\winup.exe

file_movement1
Figure 6. Backing up wupdmgr.exe

The following subroutine is then called to extract the resource out from the executable and using it to replace “C:\WINDOWS\system32\wupdmgr.exe

resource
Figure 7. dropping form resource to system32\\wupdmgr.exe
bin101
Figure 8. Bin 101 in the resource section

6. What is the purpose of this and the dropped malware?

Apparently in order for SfcTerminateWatcherThread() to work, the caller must be from winlogon.exe. That explains why the malware goes through the trouble in looping through all running threads to locate winlogon.exe and it even attempts to get higher privileges by using AdjustTokenPrivileges to change token privilege to seDebugPrivilige. With the higher privilege, the malware then calls CreateRemoteThread to ask Winlogon to invoke SfcTerminateWatcherThread(). With that, file protection mechanism will be disabled and the malware can freely change the system protected files until the next reboot.

The dropped malware in “C:\\windows\\system32\\wupdmgr.exe” executes the original wupdmgr.exe (which is now in the temp folder) and it attempts to download new malware from “http://www.practicalmalwareanalysis.com/updater.exe” and save it as “C:\\windows\\system32\\wupdmgr.exe

dropped
Figure 9. URLDownloadToFileA
Advertisements
PRACTICAL MALWARE ANALYSIS: COVERT MALWARE LAUNCHING(LAB 12-04)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s