Tools Used

  1. IDA Pro
  2. Ollydbg
  3. Proc Mon
  4. Process Monitor
  5. Wireshark
  6. inetsim
  7. PEID


  1. Lab13-03.exe SHA256: e2aed4398e0178670d9678961ca89a0f15a3eac20f396bdf29de8ac66cb853fa


  • Detection Rate: 6/53
  • Analyzed on 2016-03-14
  • Compilation Date: 2011-11-17 23:04:54
  • View report here

Lab 13-3
Analyze the malware found in the file Lab13-03.exe.
1. Compare the output of strings with the information available via
dynamic analysis. Based on this comparison, which elements might
be encoded?

Based on Wireshark and program response we could see the following strings.

Figure 1.
Figure 2. Error Message

In IDA Pro we can see the domain host name and some possible debug messages.

Figure 3. IDA Pro strings


2. Use static analysis to look for potential encoding by searching for the
string xor. What type of encoding do you find?

There are quite a lot of xor operations to go through. But based on the figure below, it is highly possible that AES is being used; The Advanced Encryption Standard (AES) is also known as Rijndae.

Figure 4. XOR operations

3. Use static tools like FindCrypt2, KANAL, and the IDA Entropy Plugin to
identify any other encoding mechanisms. How do these findings compare
with the XOR findings?

Most likely AES is being used in the malware.

Figure 5. PEID found AES
Figure 6. Find Crypt 2 Plugin Found AES

4. Which two encoding techniques are used in this malware?

@0x4120A4 we can see a 65 characters string. Which seems like a custom base64 key. The standard base64 key should be “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=” which consists of A-Z, a-z, 0-9, +, / and =.

Figure 7. Custom Base64

A custom Base64 and AES are used in this malware.

5. For each encoding technique, what is the key?

The custom base64 string uses “CDEFGHIJKLMNOPQRSTUVWXYZABcdefghijklmnopqrstuvwxyzab0123456789+/” To test if this key is valid i used a online custom base64 tool to verify.

Online Tool:

Using the above tool with the custom key, I encoded HELLOWORLD and pass it to the program via netcat to decode. True enough, the encoded text was decoded back to the original text.

Figure 8. Base64 decode

Based on some debug message, this function (0x00401AC2) seems to be initializing the AES key.

Figure 9. Init Key

x-ref the function and locate the 2nd argument… the key is most likely to be “ijklmnopqrstuvwx“.

Figure 10. Key pass in as 2nd argument

6. For the cryptographic encryption algorithm, is the key sufficient? What
else must be known?

For custom base64, we would just need the custom base64 string.

For AES, we would need the Cipher’s encryption mode, key and IV.

7. What does this malware do?

The malware connects to an’s 8190 port and establishes a remote shell. It then reads input from the attacker. The inputs are custom base64 encoded. Once decoded, the command is pass to cmd.exe for execution. The return results is encrypted using AES and send back to the attacker’s server.

8. Create code to decrypt some of the content produced during dynamic
analysis. What is this content?

Using the key, we use CBC mode with no IV to decrypt the AES encrypted packet. The content is the response from the command sent earlier via the remote shell from the attacker.

Figure 11. Decrypted Data

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s