- IDA Pro
- Cerbero Profiler
- Lab14-02.exe SHA256: 435be1c6e904836ad65f97f3eac4cbe19ee7ba0da48178fc7f00206270469165
- Detection Rate: 39/56
- Analyzed on 2016-03-18
Compilation Date: 2009-01-08 01:37:00
- View report here
Analyze the malware found in file Lab14-02.exe. This malware has been configured
to beacon to a hard-coded loopback address in order to prevent it
from harming your system, but imagine that it is a hard-coded external
1. What are the advantages or disadvantages of coding malware to use
direct IP addresses?
If the attacker’s IP were to be blocked, other same variant of malware that uses different IP would not be affected.
If the IP is blacklisted as malicious and blocked by the feds, the attacker would have lost access to the malware. If the attacker were to use a domain name, he can easily just redirect to another IP.
2. Which networking libraries does this malware use? What are the advantages
or disadvantages of using these libraries?
WININET library is used by this malware.
Caching and cookies are automatically set by the OS. If cache are not cleared before re-downloading of files, the malware could be getting a cached file instead of a new code that needs to be downloaded.
User agent need to be set by the malware author, usually the user agent is hard coded.
3. What is the source of the URL that the malware uses for beaconing?
What advantages does this source offer?
As shown in figure 1, the url is hidden in the string resource. Once a malware is compiled, the attacker would just need to reset the resource to another ip without recompiling the malware. Also using a resource make do without an additional config file.
4. Which aspect of the HTTP protocol does the malware leverage to
achieve its objectives?
2 Threads are created by the malware. One to send data out in the user agent field after encoding it using custom base64. The other to receive data.
Read Data Thread uses a static user agent “Internet Surf” as shown below.
5. What kind of information is communicated in the malware’s initial
Setting a breakpoint @0x00401750, we will break before the malware attempts to send packets out. Here you will see a custom base64 encoded data being package ready to send out.
The decoded text is the cmd.exe prompt.
6. What are some disadvantages in the design of this malware’s communication
- Only outgoing traffic is encoded thus incoming commands are in plain for defender to see
- The user agent used is hard coded for one of the thread which makes it easy to form a signature to detect it.
- The other user agent looks out of place and defender can spot it if he/she go through the packet header.
7. Is the malware’s encoding scheme standard?
No. We can see the custom base64 key in the following figure.
8. How is communication terminated?
In the subroutine @0x00401800, once the malware reads the word exit from the C2 server, the thread will exit.
9. What is the purpose of this malware, and what role might it play in the
Reverse Shell via http. On termination of the malware a subroutine (0x00401880) will be called to delete itself from the system.