PRACTICAL MALWARE ANALYSIS: DATA ENCODING(LAB 13-01)

Tools Used

  1. IDA Pro
  2. Ollydbg

Sample:

  1. Lab13-01.exe SHA256: 71a295247ba7419f9f9dea8098e6867182bb80f53c98eb0f59192a6557a51249

VirusTotal:

  • Detection Rate: 11/55
  • Analyzed on 2016-03-13
  • Compilation Date: 2011-11-08 23:03:23
  • View report here

Lab 13-1
Analyze the malware found in the file Lab13-01.exe.
Questions
1. Compare the strings in the malware (from the output of the strings command)
with the information available via dynamic analysis. Based on this
comparison, which elements might be encoded?

In IDA Pro, we can see the following strings which are of not much meaning. However on execution, if we were to strings the memory using process explorer and sniff the network traffic, we can observe some new strings such as http://www.practicalmalwareanalysis.com.

strings
Figure 1. Meaningless string
dynamic strings
Figure 2. URL found

2. Use IDA Pro to look for potential encoding by searching for the string
xor. What type of encoding do you find?

The subroutine @0x00401300 loads a resource in the binary and xor the value with “;“.

ida_loadresource
Figure 3. FIndResourceA 101
resource
Figure 4. Resource String
xor
Figure 5. XOR with ;

3. What is the key used for encoding and what content does it encode?

The key used is “;“. The decoded content is  http://www.practicalmalwareanalysis.com.

4. Use the static tools FindCrypt2, Krypto ANALyzer (KANAL), and the
IDA Entropy Plugin to identify any other encoding mechanisms. What
do you find?

kanal
Figure 6. KANAL Plugin

KANAL plugin located 4 addresses that uses “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/

5. What type of encoding is used for a portion of the network traffic sent by
the malware?

base64 encoding is used to encode the computer name.

user
Figure 7. Encoding string
encoded
Figure 8. String encoded
decoded
Figure 9. Checking base64 encoded string

6. Where is the Base64 function in the disassembly?

At address 0x004010B1.

7. What is the maximum length of the Base64-encoded data that is sent?
What is encoded?

The maximum length is 12 characters. The maximum base64 length is 16 bytes.

12char
Figure 10. Only 12 Characters

8. In this malware, would you ever see the padding characters (= or ==) in
the Base64-encoded data?

According to wiki. If the plain text is not divisible by 3, padding will present in the encoded string.

9. What does this malware do?

It keeps sending the computer name (max 12 bytes) to http://www.practicalmalwareanalysis.com every 30 seconds until 0x6F is received as the first character in the response.

Advertisements
PRACTICAL MALWARE ANALYSIS: DATA ENCODING(LAB 13-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s