PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-03)

Tools Used

  1. IDA Pro
  2. HxD

Sample:

  1. Lab15-03.exe SHA256:b2a6e13fab9d8fa32acbfaa346f2987c35f7d7c0ba7547aa8524b20cde63773b

VirusTotal:

  • Detection Rate: 37/54
  • Analyzed on 2016-03-14
  • Compilation Date: 2011-02-05 05:40:38
  • View report here

Lab 15-3
Analyze the malware found in the file Lab15-03.exe. At first glance, this binary
appears to be a legitimate tool, but it actually contains more functionality
than advertised.
Questions
1. How is the malicious code initially called?

The return address was overwritten by the malicious code address  at the start of the program. the stack which contains the ret address was written with 0x40148c.

changingRet
Figure 1. Overwriting return address

2. What does the malicious code do?

seh
Figure 2. SEH

@0x40148c we can see that the malware is adding a SEH handler (0x4014C0) via fs:0. It then performs a divide by 0 error to trigger the SEH.

The handler download a file from a url and executes it via WinExec.

sehHandler
Figure 3. SEH Handler

 

3. What URL does the malware use?

I decided to write a script to decode the url. the decoding function is simple… just negate the inputs.

decode
Figure 4. Decoded URL

The url is: http://www.practicalmalwareanalaysis.com/tt.html

4. What filename does the malware use?

spoolsrv.exe

decoded_2
Figure 5. Decoded filename
Advertisements
PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-03)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s