PRACTICAL MALWARE ANALYSIS: MALWARE -FOCUSED NETWORK SIGNATURES(LAB 14-01)

Tools Used

  1. IDA Pro
  2. ollydbg
  3. wireshark

Sample:

  1. Lab 14-01.exe SHA256: 6767fd66f28a1d39cb84f59e8a86b3ea99e22d204d2aac821e0d01ac232fba56

VirusTotal:

  • Detection Rate: 48/55
  • Analyzed on 2016-03-18
  • Compilation Date: 2011-02-27 17:54:15
  • View report here

Lab 14-1
Analyze the malware found in file Lab14-01.exe. This program is not harmful
to your system.
Questions
1. Which networking libraries does the malware use, and what are their
advantages?

The networking library used is urlmon’s URLDownlaodToCacheFileA.

urldownload
Figure 1. urlmon’s URLDownlaodToCacheFileA

The advantage of using this api call is that the http packets being sent looks like a typical packet from the victim’s browser.

wireshark
Figure 2. User-Agent

2. What source elements are used to construct the networking beacon, and
what conditions would cause the beacon to change?

From the figure below, we can observe that the networking beacon is constructed from a partial GUID(19h to 24h) via GetCurrentHWProfileA and username via GetUserNameA.

Based on MSDN, szHwProfileGuid is a globally unique identifier (GUID) string for the current hardware profile. The string returned by GetCurrentHwProfile encloses the GUID in curly braces, {}; for example: {12340001-4980-1920-6788-123456789012}.

Therefore on different machine, the GUID should be different which infers that the beacon will change. On top of that, another variable used is the username therefore different users logging in to the same infected machine will generate a different beacon as well.

guid
Figure 3. GUID & Username

3. Why might the information embedded in the networking beacon be of
interest to the attacker?

So that the attacker can have a unique id to keep track of the infected machines and users.

4. Does the malware use standard Base64 encoding? If not, how is the
encoding unusual?

Yes except that the padding used is different.

paddinga
Figure 4.padding ‘a’ is used instead of ‘=’

To prove that let’s try it using ollydbg. Set breakpoint @0x004013A2 and we can step through the base64 algo in action. In my test experiment i used AA:AA:AA:AA:AA:AA-AAAAAAAAAAAAA to let it encode. By right the standard base64 should give me the following results.

onlinedecoder
Figure 5. Encoding AA:AA:AA:AA:AA:AA-AAAAAAAAAA

However we got back QUE6QUE6QUE6QUE6QUE6QUEtQUFBQUFBQUFBQUFBQQaa instead. Which further reinforced what we have seen earlier in IDA Pro where ‘a’ is used instead of ‘=’ for padding.

AAAA
Figure 6. Encoding in ollydbg

5. What is the overall purpose of this malware?

The malware attempts to download file from the c2 server and executes it every 60 seconds.

dne
Figure 7. Download and execute

6. What elements of the malware’s communication may be effectively
detected using a network signature?

We can use to following elements to detect for this malware

  1. domain: http://www.practicalmalwareanalysis.com
  2. Get request ends with /[%c].png
  3. Get request pattern is as follows “/[A-Z|a-z|0-9]{3}6[A-Z|a-z|0-9]{3}6[A-Z|a-z|0-9]{3}6[A-Z|a-z|0-9]{3}6[A-Z|a-z|0-9]{3}6[A-Z|a-z|0-9]{3}t[A-Z|a-z|0-9]*\/[A-Z|a-z|0-9].png/”
onlinereg
Figure 8. online reg exp tool

7. What mistakes might analysts make in trying to develop a signature for
this malware?

  1. thinking that the GET request is a static base64 string
  2. thinking that the file requested is “a.png”

8. What set of signatures would detect this malware (and future variants)?

refer to question 6.

Advertisements
PRACTICAL MALWARE ANALYSIS: MALWARE -FOCUSED NETWORK SIGNATURES(LAB 14-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s