Tools Used

  1. IDA Pro
  2. Ollydbg
  3. Cerbero Profiler


  1. Lab14-02.exe SHA256: 435be1c6e904836ad65f97f3eac4cbe19ee7ba0da48178fc7f00206270469165


  • Detection Rate: 39/56
  • Analyzed on 2016-03-18
  • Compilation Date: 2009-01-08 01:37:00
  • View report here

Lab 14-2
Analyze the malware found in file Lab14-02.exe. This malware has been configured
to beacon to a hard-coded loopback address in order to prevent it
from harming your system, but imagine that it is a hard-coded external
1. What are the advantages or disadvantages of coding malware to use
direct IP addresses?

Figure 1. IP in String Resource


If the attacker’s IP were to be blocked, other same variant of malware that uses different IP would not be affected.


If the IP is blacklisted as malicious and blocked by the feds, the attacker would have lost access to the malware. If the attacker were to use a domain name, he can easily just redirect to another IP.

2. Which networking libraries does this malware use? What are the advantages
or disadvantages of using these libraries?

Figure 2. WININET

WININET library is used by this malware.


Caching and cookies are automatically set by the OS. If cache are not cleared before re-downloading of files, the malware could be getting a cached file instead of a new code that needs to be downloaded.


User agent need to be set by the malware author, usually the user agent is hard coded.

3. What is the source of the URL that the malware uses for beaconing?
What advantages does this source offer?

As shown in figure 1, the url is hidden in the string resource. Once a malware is compiled, the attacker would just need to reset the resource to another ip without recompiling the malware. Also using a resource make do without an additional config file.

4. Which aspect of the HTTP protocol does the malware leverage to
achieve its objectives?

2 Threads are created by the malware. One to send data out in the user agent field after encoding it using custom base64. The other to receive data.

Figure 3. Read Data
Figure 4. Send Data

Read Data Thread uses a static user agent “Internet Surf” as shown below.

Figure 5. Internet Surf User-agent

5. What kind of information is communicated in the malware’s initial

Setting a breakpoint @0x00401750, we will break before the malware attempts to send packets out. Here you will see a custom base64 encoded data being package ready to send out.

Figure 6. Base64 encoded data

The decoded text is the cmd.exe prompt.

Figrue 7. Decoded Base64

6. What are some disadvantages in the design of this malware’s communication

  1. Only outgoing traffic is encoded thus incoming commands are in plain for defender to see
  2. The user agent used is hard coded for one of the thread which makes it easy to form a signature to detect it.
  3. The other user agent looks out of place and defender can spot it if he/she go through the packet header.

7. Is the malware’s encoding scheme standard?

No. We can see the custom base64 key in the following figure.

Figure 8. Custom base64 key

8. How is communication terminated?

In the subroutine @0x00401800, once the malware reads the word exit from the C2 server, the thread will exit.

Figure 9. exit keyword

9. What is the purpose of this malware, and what role might it play in the
attacker’s arsenal?

Reverse Shell via http. On termination of the malware a subroutine (0x00401880) will be called to delete itself from the system.

Figure 10. self delete



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s