This is my analysis of the malware for Lab03-02 from the Practical
Malware Analysis book exercises.
Overview
For Lab03-02 we must analyze the malware found in the file
Lab03-02.dll using basic dynamic analysis tools.
The following are the tasks required to complete the lab exercise:
Analysis
Basic Analysis
Before performing any dynamic analysis we want to see what sort of
information can be gathered without having to run the malware first.
Strings
Looking at the strings this malware contains reveals:
Of particular interest are:
Based on the strings we see, it appears that the malware will most
likely attempt to make an internet connection to
practicalmalwareanalysis.com. It also appears that this malware
modifies the registry and installs a service.
Lab Questions
How can you get this malware to install itself?
Since this malware is a Windows DLL we have a couple of options for how
we can get it to install itself. We can either utilize rundll32.exe
which is provided by Windows or we can attempt to modify the DLL PE
header and change its extension to force Windows to load the DLL as
it would an executable. Let’s try the former.
To utilize rundll32.exe we will need to know the name of the DLL we
wan to analyze and the function name or ordinal of an exported
function. Utilizing IDA Pro we can see what functions the DLL
exports. Reviewing the exports we see a function called installA.:
Before attempting to run the DLL, we will want to do a bit of
preparation. We will:
Take a snapshot of the registry with RegShot
Setup ApateDNS to look for DNS requests
Setup Process Explorer to monitor the processes on the system
Take a snapshot of the VirtualBox VM to revert
We proceed to attempt to install the malware with rundll32.exe
Lab03-02.dll installA. After installation another registry snapshot
is taken and a comparison made. The comparison yields:
This seems to indicate that the malware has been installed successfully.
How would you get this malware to run after instalation?
We can see that a new service called IPRIP has had registry entries
added for it. Since we know the service name we may now attempt to
start the service and begin dynamic analysis. We can attempt to
start the service using:
Looking at ApateDNS it indicates that the malware did attempt to
make a connection to practicalmalwareanalysis.com. It appears that
we have successfully run the installed malware.
How can you find the process under which this malware is running?
After starting the service we do a search for Lab03-02.dll in
Process Explorer. We can see in process explorer that Lab03-02.dll
has been loaded into svchost.exe with pid 1048.
Which filters could you set in order to use procmon to glean information?
In procmon the pid can be used as the filter.
What are the malware’s host-based indicators?
The malware installs a service called IPRIP. It has a display name of
Intranet Network Awareness (INA+). It’s description is, “Depends INA+,
Collects and stores network configuration and location information ,
and notifies applications when this information changes.”
It writes:
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll:
%CurrentDirectory%\Lab03-02.dll in the registry for persistence.
Are there any useful network-based signatures for this malware?
It attempts to do a GET request to
practicalmalwareanalysis.com/serve.html over port 80 with User-Agent: