- IDA Pro
- Proc Mon
- Process Monitor
- Lab13-03.exe SHA256: e2aed4398e0178670d9678961ca89a0f15a3eac20f396bdf29de8ac66cb853fa
- Detection Rate: 6/53
- Analyzed on 2016-03-14
Compilation Date: 2011-11-17 23:04:54
- View report here
Analyze the malware found in the file Lab13-03.exe.
1. Compare the output of strings with the information available via
dynamic analysis. Based on this comparison, which elements might
Based on Wireshark and program response we could see the following strings.
In IDA Pro we can see the domain host name and some possible debug messages.
2. Use static analysis to look for potential encoding by searching for the
string xor. What type of encoding do you find?
There are quite a lot of xor operations to go through. But based on the figure below, it is highly possible that AES is being used; The Advanced Encryption Standard (AES) is also known as Rijndae.
3. Use static tools like FindCrypt2, KANAL, and the IDA Entropy Plugin to
identify any other encoding mechanisms. How do these findings compare
with the XOR findings?
Most likely AES is being used in the malware.
4. Which two encoding techniques are used in this malware?
@0x4120A4 we can see a 65 characters string. Which seems like a custom base64 key. The standard base64 key should be “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=” which consists of A-Z, a-z, 0-9, +, / and =.
A custom Base64 and AES are used in this malware.
5. For each encoding technique, what is the key?
The custom base64 string uses “CDEFGHIJKLMNOPQRSTUVWXYZABcdefghijklmnopqrstuvwxyzab0123456789+/” To test if this key is valid i used a online custom base64 tool to verify.
Online Tool: https://www.malwaretracker.com/decoder_base64.php
Using the above tool with the custom key, I encoded HELLOWORLD and pass it to the program via netcat to decode. True enough, the encoded text was decoded back to the original text.
Based on some debug message, this function (0x00401AC2) seems to be initializing the AES key.
x-ref the function and locate the 2nd argument… the key is most likely to be “ijklmnopqrstuvwx“.
6. For the cryptographic encryption algorithm, is the key sufficient? What
else must be known?
For custom base64, we would just need the custom base64 string.
For AES, we would need the Cipher’s encryption mode, key and IV.
7. What does this malware do?
The malware connects to an http://www.practicalmalwareanalysis.com’s 8190 port and establishes a remote shell. It then reads input from the attacker. The inputs are custom base64 encoded. Once decoded, the command is pass to cmd.exe for execution. The return results is encrypted using AES and send back to the attacker’s server.
8. Create code to decrypt some of the content produced during dynamic
analysis. What is this content?
Using the key, we use CBC mode with no IV to decrypt the AES encrypted packet. The content is the response from the command sent earlier via the remote shell from the attacker.