Practical Malware Analysis: Lab 1-1

August 24, 2017 - 4 minute read -
malware analysis practical-malware-analysis reverse-engineering

I am beginning an new series of blog posts to document my research as I work through the Practical Malware Analysis book and labs. This is the first blog post in that series beginning with Lab 1-1.

Overview

The Lab 1-1 malware that is to be analyized using basic static analysis techniques consists of two files:

  • Lab01-01.exe
  • Lab01-01.dll

The following are the tasks required to complete the lab exercise:

Basic Static Analysis

VirusTotal?

Upload the files to http://www.virustotal.com. Does either file match any existing antivirus signatures?

Uploading both files to VirusTotal indicates that both the .exe and .dll match existing signatures. This is depicted in the following screen captures:

Lab01-01.exe

Lab01-01.exe Virus Total 1 Lab01-01.exe Virus Total 2

Lab01-01.dll

Lab01-01.dll Virus Total 1 Lab01-01.dll Virus Total 2

Compilation Time?

When where these files compiled?

Opening both the dll and exe in PEview should give an idea of when the files were compiled.

Lab01-01.exe

The executable appears to have been compiled on December 19th, 2010 at 16:16:19 UTC (2010/12/19 Sun 16:16:19 UTC)

Lab01-01.exe PEView

Lab01-01.dll

The dll appears to have been compiled on December 19th, 2010 at 16:16:38 UTC (2010/12/19 Sun 16:16:38 UTC)

Lab01-01.dll PEView

Both the executable and dll compilation times are within a few seconds from one another which seems to indicate that they were compiled in the same compilation process.

Packed or Obfuscated?

Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

PEid

Opening both the executable and dll in PEid is a good first start to check for packer usage:

Lab01-01.exe

Lab01-01.exe PEid

Lab01-01.dll

Lab01-01.dll PEid

Running the executable and dll through PEid doesn’t show any signs of a packer being used. PEid is able to determine that Microsoft Visual C++ 6.0 appears to be the compiler that was used. The analysis of the dll indicates that the subsystem is Win32 GUI so this seems to indicate that there is a GUI component to this malware.

Another check that can be done to determine if packing or obfuscation is taking place is the use of the strings utility:

Strings

Running strings on the executable shows:

.. snip ..

CloseHandle
UnmapViewOfFile
IsBadReadPtr
MapViewOfFile
CreateFileMappingA
CreateFileA
FindClose
FindNextFileA
FindFirstFileA
CopyFileA
KERNEL32.dll
malloc
exit
MSVCRT.dll
kerne132.dll
kernel32.dll
.exe
C:\*
C:\windows\system32\kerne132.dll
Kernel32.
Lab01-01.dll
C:\Windows\System32\Kernel32.dll
WARNING_THIS_WILL_DESTROY_YOUR_MACHINE

There seems to be a decent amount of information returned. In the scenario of a packed or obfuscated file, very few legible strings would be found.

Doing the same on the dll shows:

.. snip ..

CloseHandle
Sleep
CreateProcessA
CreateMutexA
OpenMutexA
KERNEL32.dll
WS2_32.dll
strncmp
MSVCRT.dll
free
malloc
exec
sleep
hello
127.26.152.13
SADFHUHF

.. snip ..

While not as many strings are returned, there are still seems to be a good amount of information returned. An ip address, exec, sleep, and other functions are found.

IDAPro

Another technique that can be used to determine if the malware is packed is to utilize IDAPro to see if the instructions seem reasonable and if there is any evidence of jumping to a decoder stub:

Lab01-01.exe

Lab01-01.exe IDAPro

Lab01-01.dll

Lab01-01.dll IDAPro

Looking at both the exe and dll within IDAPro show that the instructions do not appear to jump to a decoder stub of any kind and the instructions are clearly visible.

Imports Indicate Malware Functionality?

Do any imports hint at what this malware does? If so, which imports are they?

Lab01-01.exe

The imports of Lab01-01.exe contain:

  • CreateFileA
  • FindNextFileA
  • FindFirstFileA
  • CopyFileA

Based on the imports, the executable appears to:

  • Search for a file(s)
  • Copies a file(s)

Lab01-01.dll

The imports of Lab01-01.dll contain:

  • Sleep
  • CreateProcessA
  • CreateMutexA
  • OpenMutexA
  • CloseHandle
  • socket
  • inet_addr
  • connect
  • send
  • recv
  • closesocket

Based on these imports it appears that:

  • A socket connection is made to an external server and data is sent and received.
  • A process is created
  • That a process sleeps at some point

Hypothesis

Based on the strings and imports it seems like this is a backdoor program that creates a socket connection to 127.26.152.13. Usage / tampering of kernel32 seems likely to occur as well based upon the FindFile / FindFirstFile usage, the strings C:\*, C:\windows\system32\kerne132.dll, and C:\windows\system32\kernel32.dll.

File or Host-Based Indicators?

Are there any other files or host-based indicators that you could look for on infected systems?

A file based indicator of this malware would be: C:\windows\system32\kerne132.dll. Finding this file on a system would likely indicate the presence of the malware.

Network-Based Indicators?

What network-based indicators could be used to find this malware on infected machines?

Network activity to 127.26.152.13 would be a network-based indicator of the malware being present on a system.

Purpose of Files?

What would you guess is the purpose of these files?

Based on the imports and strings in the exe and dll, it would appear that the dll contains backdoor functionality and the exe is used to run, infect, and or install the backdoor.

Conclusion

It was really fun and interesting analyzing and reporting on the first malware in this lab exercise. I look forward to doing again for Lab01-02.exe.