This is my analysis of the malware for Lab01-04 from the Practical Malware Analysis book exercises.
The Lab 1-4 malware that is to be analyized using basic static
analysis techniques consists of the file
The following are the tasks required to complete the lab exercise:
Basic Static Analysis
Upload the Lab01-04.exe file to http://www.virustotal.com. Does it match any existing antivirus definitions?
According to VirusTotal, this malware does match existing antivirus definitions.
Packed or Obfuscated?
Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Running strings on the executable yields:
We can see that there is actually quite a bit of information found by using the strings application. It is probably safe to say that this is not packed or obfuscated. Let’s check out IDApro just to be safe.
IDAPro has no issues loading the file so no alerts of packing or obfuscation are given. The instructions that are outlined seem to be very clear as it can bee seen which libraries are getting loaded and which functions are getting called.
At this point I’m convinced that this is not packed or obfuscated.
Imports Hint at Functionality?
The imports indicate a few things:
LoadResource, FindResource, and SizeOfResourceindicate that data is loaded from the resource section
GetWindowsDirectoryindicates that files may be written to the system directory
WinExecindicates that a program gets executed
WriteFileindicate that a file gets created and written to
URLDownloadToFileApoints at something being downloaded to a file
EnumProcessesgets an array of process ids
SeDebugPrivilegeindicates that this malware may inject code into another process it doesn’t own
Host- or Network-Based Indicators?
For host based indicators the following files could indicate that the host is infected:
Network activity to
http://www.practicalmalwareanalysis.com/updater.exe could be a
network based indicator that this malware is present.
Bonus Round: Resource Section
Because the imports seem to indicate that something is loaded from the resource section, Resource Hacker can be used to see what may live there:
The string we found earlier “!This program cannot be run in DOS mode.” appears to indicate that this binary is actually another executable living in the resource section. Saving this as a binary lets analyze it just like any other executable.
Viewing the executable in IDAPro we can see the instructions that it
tries to perform. In this particular screenshot, we can see it
attempting to call out to
This malware was particularly interesting because of its use of the resource section to contain another executable. I’m not 100% sure what the advantage of doing something like this might be but upon thinking about it a bit more, I think that by organizing the malware in this way, the particularly malicious parts of the malware don’t appear on the system right away. They show up after the downloader portion is extracted from the resource section of the executable and downloads the main payload, adding 2 layers of obfuscation as to what the malware’s true intentions might be. I wonder what sort of tricks the next lab will hold…