Learning of malware analysis. Basic static analysis labs from "Practical Malware Analysis" book
Hello there
Finally, the time has come for sharing my solutions to exercises from the excellent book mentioned in the topic of this post. The first chapter states for "Basic static analysis". This type of malware analysis should be the first to do in the whole process and I think this is also the easiest part of the process. I've decided to simply describe each solution for each lab without any additions before. I'm going to explain everything that I'm doing inside the solution. I hope that this way will be helpful for me and other beginners who are interested in examined malicious programs. Now, I'm inviting you to read my solutions and maybe learn new things with me. :)
I almost forgot! Every lab for "Practical Malware Analysis" book can be downloaded from https://practicalmalwareanalysis.com/labs/
Basic static analysis labs:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-1
This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques
described in the chapter to gain information about the files and answer the questions below.
Questions
1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
2. When were these files compiled?
3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
4. Do any imports hint at what this malware does? If so, which imports are they?
5. Are there any other files or host-based indicators that you could look for
on infected systems?
6. What network-based indicators could be used to find this malware on infected machines?
7. What would you guess is the purpose of these files?
My answers:
1) Upload the files to http://www.VirusTotal.com/ and view the reports. Does
either file match any existing antivirus signatures?
Usually, a good first step in malware analysis is to upload a suspected program to VirusTotal and check the results of antivirus scanning done on it. Only one antivirus scanning isn't enough to be sure that a suspected program isn't malware. The best way to find the answer is to upload the file to VirusTotal and scan it across different antivirus programs that have different signatures.
The scan result of Lab01-01.exe:
The scan result of Lab01-01.dll:
Now it's clear that those two files can be considered as malware since a lot of antivirus engines detected it. Therefore we should be careful in further analysis.
2) When were these files compiled?
The time of the compilation can give information if the given suspected program is an older one or newer. If it's older then we can calculate the hash of the file and check if it has already been analyzed or if the antivirus signatures exist. Unfortunately, the time of the compilation can be easily manipulated by malware writers so it might be confusing.
To check the compiler-stamp I used pestudio tool which I described here - https://shizz3r.blogspot.com/2020/06/beginning-of-malware-analysis-adventure_19.html
Lab01-01.exe time of the compilation:
Lab01-01.dll time of the compilation:
The information about compilation time resides within the IMAGE_FILE_HEADER of PE file.
3) Are there any indications that either of these files is packed or obfuscated?
If so, what are these indicators?
First of all, I've decided to check the imported functions and strings in these files. If there are only a few imported functions and a similar number of strings, then the file will be packed and as a result of this, obfuscated too. The next thing I'm gonna do is to check the Virtual Size and Size of Raw Data within the .text section of the executable and compare them. Virtual Size is the size of allocated memory for .text section while loading PE into memory. Size of Raw Data is the size of .text section within the image of PE on the disk. If the difference between these two values is big, then the suspected file might be packed and obfuscated. Then the exeinfope tool will be helpful in dissecting a packer if the suspected file is actually packed.
Using pestuido:
1. Imported functions and strings:
Lab01-01.exe
It's clear that the number of imports is 25 and the number of strings is 69. The Lab01-01.exe file isn't packed or obfuscated for the time being.
Lab01-01.dll
Imports number: 20, strings number: 36 so Lab01-01.dll also isn't packed or obfuscated for now on. While analyzing dll file it's a good idea to check for exports. This specific file doesn't have any export which is abnormal but it doesn't mean that the dll is packed or obfuscated.
2. Comparing between Virtual Size and Size of Raw Data within .text section:
Lab01-01.exe:
If we take a look at the hexadecimal value of raw-size and virtual-size we can see that the difference between them is small enough to find out that this file isn't packed or obfuscated.
Lab01-01.dll:
This time difference between raw-size and virtual-size is significant. But virtual-size is smaller than raw-size. This means that in my opinion Lab01-01.dll isn't packed or obfuscated based on this information. The situation would be different if the virtual-size were bigger than raw-size.
3. Checking suspected files in exeinfope tool:
Lab01-01.exe:
Lab01-01.dll:
Summary: These files aren't packed or obfuscated.
4) Do any imports hint at what this malware does? If so, which imports are they?
Obviously, we can check imports from the Import Table of PE using pestudio tool.
Significant imports from Lab01-01.exe:
- UnmapViewOfFile
- MapViewOfFile
- CreateFileMappingA
- CreateFileA
- FindNextFileA
- FindFirstFileA
- CopyFileA
From these imports, I would say that this malware searches through file-system and copies files.
Significant imports from Lab01-01.dll:
- socket
- connect
- recv
- send
- htons
It's clear that this dll has to deal with internet connections. It connects to some host and talks with it using send and recv functions imported from ws2_32.dll.
5) Are there any other files or host-based indicators that you could look for on infected systems?
I didn't see any files or host-based indicators that I could look for on infected systems in case of the dll file. But Lab01-01.exe creates a file named kerne123.dll within C:\windows\system32 directory. I gathered this information from the strings of the PE. This is a great file indicator on infected systems.
6) What network-based indicators could be used to find this malware on infected machines?
We can quickly check that Lab01-01.dll tries to talk with the host 127.26.152.13 across the internet. Obviously to confirm that information this dll file should be analyzed using decompiler and debugger but I'll do it in the future when the book mentions these topics. So 127.26.152.13 as an IP address is the network-based indicator on infected systems indeed. This might be the address of C&C server.
7) What would you guess is the purpose of these files?
I think that Lab01-01.dll is the dll for Lab01-01.exe. That being said Lab01-01.dll might be a backdoor and might be used for communication with C&C server. Execution is a task for Lab01-01.exe which creates kerne123.dll and it should be another file for malware researchers to look at. The purpose of Lab01-01.exe isn't clear except that it creates a new dll file and copies some file/files across the file-system. These modifications of the file-system are probably made within C:\Windows\System32 directory. The system32 folder is a very interesting place for malware writers to hide their malicious files.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-2
Analyze the file Lab01-02.exe.
Questions
1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
4. What host- or network-based indicators could be used to identify this malware on infected machines?
My answers:
1) Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
After scanning Lab01-02.exe using 72 different antivirus engines 54 of them indicated this file as malware. This is enough confirmation to treat this executable as malicious.
2) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
As earlier, it's worth to investigate imports, strings, the difference between virtual size and raw size of .text section using pestudio, and check the whole structure of suspected file using exeinfope tool.
1. Strings and imports:
pestudio shows strings and imports correctly. Nothing is hidden or encrypted so for now on I think that the suspected file isn't packed or obfuscated.
2. The difference between virtual-size and raw-size of .text section:
This screenshot shows that virtual-size is less than raw-size. It means that everything is correct and the file isn't packed or obfuscated if we consider this fact. Again, if virtual-size had been significantly greater than raw-size, the file would have been packed or obfuscated.
3. Information from exeinfope:
exeinfope tool confirmed my suspicions that Lab01-02.exe isn't packed or obfuscated.
3) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
List of significant imports from Lab01-02.exe:
- CreateServiceA
- StartServiceCtrlDispatcherA
- OpenSCManagerA
- InternetOpenUrlA
- InternetOpenA
The first three functions on the above list which are CreateServiceA, StartServiceCtrlDispatcherA and OpenSCManagerA tell us that Lab01-02.exe tends to be running as a service on Windows. InternetOpenUrlA and InternetOpenA functions are responsible for establishing the connection between two hosts across the internet. So to sum up: the suspected program is a service which probably talks to another host - maybe C&C server. It's strange but from now on we only know that Lab01-02.exe establishes connection but not making any further action based on this.
4) What host- or network-based indicators could be used to identify this malware on infected machines?
If we take a look at strings of the executable using pestudio tool, there is a MalService string at the end of the list. This might be a host-based indicator since it's probably the name of the malicious service. If we find this string on the list of running services, the system is probably infected. On the list of strings, there is also http://www.malwareanalysisbook.com. The suspected file probably establishes a connection with this domain. This means that malwareanalysisbook site is a network-based indicator of infected machines.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-3
Analyze the file Lab01-03.exe.
Questions
1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
4. What host- or network-based indicators could be used to identify this malware on infected machines?
My answers:
1) Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
After scanning Lab01-02.exe using 73 different antivirus engines 55 of them indicated this file as malware. This is enough confirmation to treat this executable as malicious. Therefore we have to be careful while analyzing it.
2) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
As usual, we have to check the Import Table, the difference between virtual-size and raw-size of the .text section. In the end, it's worth examining the suspected program with exeinfope tool.
1. Imports and strings:
The number of imports is very suspicious and abnormal. There are only 2 functions imported by the whole executable. In addition, these methods are able to load other functions from any dll across the whole Windows OS. Based on this I would say that this file is packed even though the number of strings is big enough to be "normal".
2. Difference between virtual-size and raw-size of .text section:
There are three very strong indicators that this file is packed indeed. Firstly, all sections of Lab-01-03.exe don't have names so the result of compiler work has changed. Secondly, raw-size of .text section (probably .text) is 0 and this is simply impossible. Finally, virtual-size is much larger than raw-size in case of .text section. I'm not sure that this data is from .text section but it's very likely. Again, I would say that this file is packed.
3. Checking my assumption with exeinfope:
exeinfope stated that Lab01-03.exe is packed with FSG packer. Easy way to unpack executable packed by FSG doesn't exist so I think it should be done with debugger and some low-level modification magic. This kind of interesting stuff will be provided by the book in later chapters so for now on I'm not able to unpack this executable.
3) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
As I mentioned in the answer to the second question, the analyzed program has only two imports. Here they are LoadLibraryA and GetProcAddress. These functions are used to import other methods from any dll across the system so they don't tell us anything.
4) What host- or network-based indicators could be used to identify this malware on infected machines?
I looked into strings that were not really encrypted but nothing caught my attention. The rest of the file is packed so it has to be unpacked to answer this question.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-4
Analyze the file Lab01-04.exe.
Questions
1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
3. When was this program compiled?
4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
5. What host- or network-based indicators could be used to identify this malware on infected machines?
6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
My answers:
1) Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
After scanning Lab01-02.exe using 72 different antivirus engines 61 of them indicated this file as malware. This is enough confirmation to treat this executable as malware.
2) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Three parts make the whole process of analysis if a file is obfuscated or packed. As usual, I focused on the number of imports and string within the file, the difference between its virtual-size and raw-size in the .text section, and the result of work done by exeinfope tool.
1. Imports and strings:
114 strings and 34 imports mean that the file isn't packed or obfuscated for now on.
2. The difference between virtual-size and raw-size in the .text section:
As you can see virtual-size is smaller than raw-size and the difference between them isn't large. It's obviously a normal situation so there is another indicator that this file isn't packed or obfuscated.
3. Checking lab01-04.exe with exeinfope tool:
exeinfope has confirmed that the analyzed file isn't packed or obfuscated.
3) When was this program compiled?
This information can be gathered from IMAGE_FILE_HEADER of lab01-04.exe file using pestudio tool.
The time of the compilation is Fri Aug 30 15:26:59 2019. The date is manipulated for sure since the book was released in 2012. This is an example that we shouldn't believe compiler-stamps.
4) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Significant imports of lab01-04.exe:
- OpenProcessToken
- LookupPrivilegeValueA
- AdjustTokenPrivileges
- WriteFile
- CreateFileA
- MoveFileA
- WinExec
- CreateRemoteThread
The list of significant imports is quite big compared to earlier examples. From looking at these functions I would tell that this executable probably creates another malicious file but this time within one of the directories with specific privileges. OpenProcessToken, LookupPrivilegeValueA, and AdjustTokenPrivileges might be used for this reason or to simply raise privileges of the created file, then use them to gain more benefits from victim's Windows. The last two functions are also very interesting. I think that they are used for execute some code inside the created process after setting correct privileges. lab01-04.exe can be used to prepare a new, dangerous program.
5) What host- or network-based indicators could be used to identify this malware on infected machines?
To determine host or network-based indicators that could be used to identify this malware on infected machines we have to look for suspicious strings. First of all, there is a name of the process that might be created by the malware - winup.exe. I would look at this file in further analysis for sure, but I can be wrong that this program is malicious. Next SeDebugPrivilege is one of the best hints at what this malware does. Without any reverse engineering, I'm able to tell that the malicious program tries to get this privilege probably on the new file. When the exemplary process owns this privilege then it has access to all processes across the system and can do process replacement for example by placing the shellcode even in System files. Doing this an attacker has a straight path to add itself to administrators and then we are done. :) The network-based indicator is the domain http://www.practicalmalwareanalysis.com/updater.exe. In the strings there is URLDownloadToFile so it might be a function that downloads updater.exe from the mentioned site and write the content into winup.exe to hide from the victim. Everything points to that lab01-04.exe is a downloader.
6) This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
IMAGE_DOS_HEADER is visible in the ascii representation of the sequence of bytes within the examined resource. Therefore I had decided to extract this resource to the binary file and then have tried to look deeper into it using pestudio. To extract a resource into a binary file -> Action -> Save resource to a BIN file.
Imports were very interesting to research within the saved binary file so here they are:
As you can see the executable hidden in the resource section imports the URLDownloadToFileA function and not lab01-04.exe itself. Now we know that networking action is being done by the executable code from resource section. :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
That's all from chapter number one. I'm sure that the next chapters will be even more interesting and for sure more sophisticated than this one.
I invite you to express constructive criticism if I've done something wrong since as of this writing I'm a student in this topic, not an expert. :)
Thank you for reading.
Cheers!
Finally, the time has come for sharing my solutions to exercises from the excellent book mentioned in the topic of this post. The first chapter states for "Basic static analysis". This type of malware analysis should be the first to do in the whole process and I think this is also the easiest part of the process. I've decided to simply describe each solution for each lab without any additions before. I'm going to explain everything that I'm doing inside the solution. I hope that this way will be helpful for me and other beginners who are interested in examined malicious programs. Now, I'm inviting you to read my solutions and maybe learn new things with me. :)
I almost forgot! Every lab for "Practical Malware Analysis" book can be downloaded from https://practicalmalwareanalysis.com/labs/
Basic static analysis labs:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-1
This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques
described in the chapter to gain information about the files and answer the questions below.
Questions
1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
2. When were these files compiled?
3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
4. Do any imports hint at what this malware does? If so, which imports are they?
5. Are there any other files or host-based indicators that you could look for
on infected systems?
6. What network-based indicators could be used to find this malware on infected machines?
7. What would you guess is the purpose of these files?
My answers:
1) Upload the files to http://www.VirusTotal.com/ and view the reports. Does
either file match any existing antivirus signatures?
Usually, a good first step in malware analysis is to upload a suspected program to VirusTotal and check the results of antivirus scanning done on it. Only one antivirus scanning isn't enough to be sure that a suspected program isn't malware. The best way to find the answer is to upload the file to VirusTotal and scan it across different antivirus programs that have different signatures.
The scan result of Lab01-01.exe:
Now it's clear that those two files can be considered as malware since a lot of antivirus engines detected it. Therefore we should be careful in further analysis.
2) When were these files compiled?
The time of the compilation can give information if the given suspected program is an older one or newer. If it's older then we can calculate the hash of the file and check if it has already been analyzed or if the antivirus signatures exist. Unfortunately, the time of the compilation can be easily manipulated by malware writers so it might be confusing.
To check the compiler-stamp I used pestudio tool which I described here - https://shizz3r.blogspot.com/2020/06/beginning-of-malware-analysis-adventure_19.html
Lab01-01.exe time of the compilation:
Lab01-01.dll time of the compilation:
The information about compilation time resides within the IMAGE_FILE_HEADER of PE file.
3) Are there any indications that either of these files is packed or obfuscated?
If so, what are these indicators?
First of all, I've decided to check the imported functions and strings in these files. If there are only a few imported functions and a similar number of strings, then the file will be packed and as a result of this, obfuscated too. The next thing I'm gonna do is to check the Virtual Size and Size of Raw Data within the .text section of the executable and compare them. Virtual Size is the size of allocated memory for .text section while loading PE into memory. Size of Raw Data is the size of .text section within the image of PE on the disk. If the difference between these two values is big, then the suspected file might be packed and obfuscated. Then the exeinfope tool will be helpful in dissecting a packer if the suspected file is actually packed.
Using pestuido:
1. Imported functions and strings:
Lab01-01.exe
It's clear that the number of imports is 25 and the number of strings is 69. The Lab01-01.exe file isn't packed or obfuscated for the time being.
Lab01-01.dll
Imports number: 20, strings number: 36 so Lab01-01.dll also isn't packed or obfuscated for now on. While analyzing dll file it's a good idea to check for exports. This specific file doesn't have any export which is abnormal but it doesn't mean that the dll is packed or obfuscated.
2. Comparing between Virtual Size and Size of Raw Data within .text section:
Lab01-01.exe:
If we take a look at the hexadecimal value of raw-size and virtual-size we can see that the difference between them is small enough to find out that this file isn't packed or obfuscated.
Lab01-01.dll:
This time difference between raw-size and virtual-size is significant. But virtual-size is smaller than raw-size. This means that in my opinion Lab01-01.dll isn't packed or obfuscated based on this information. The situation would be different if the virtual-size were bigger than raw-size.
3. Checking suspected files in exeinfope tool:
Lab01-01.exe:
Lab01-01.dll:
Summary: These files aren't packed or obfuscated.
4) Do any imports hint at what this malware does? If so, which imports are they?
Obviously, we can check imports from the Import Table of PE using pestudio tool.
Significant imports from Lab01-01.exe:
- UnmapViewOfFile
- MapViewOfFile
- CreateFileMappingA
- CreateFileA
- FindNextFileA
- FindFirstFileA
- CopyFileA
From these imports, I would say that this malware searches through file-system and copies files.
Significant imports from Lab01-01.dll:
- socket
- connect
- recv
- send
- htons
It's clear that this dll has to deal with internet connections. It connects to some host and talks with it using send and recv functions imported from ws2_32.dll.
5) Are there any other files or host-based indicators that you could look for on infected systems?
I didn't see any files or host-based indicators that I could look for on infected systems in case of the dll file. But Lab01-01.exe creates a file named kerne123.dll within C:\windows\system32 directory. I gathered this information from the strings of the PE. This is a great file indicator on infected systems.
6) What network-based indicators could be used to find this malware on infected machines?
We can quickly check that Lab01-01.dll tries to talk with the host 127.26.152.13 across the internet. Obviously to confirm that information this dll file should be analyzed using decompiler and debugger but I'll do it in the future when the book mentions these topics. So 127.26.152.13 as an IP address is the network-based indicator on infected systems indeed. This might be the address of C&C server.
7) What would you guess is the purpose of these files?
I think that Lab01-01.dll is the dll for Lab01-01.exe. That being said Lab01-01.dll might be a backdoor and might be used for communication with C&C server. Execution is a task for Lab01-01.exe which creates kerne123.dll and it should be another file for malware researchers to look at. The purpose of Lab01-01.exe isn't clear except that it creates a new dll file and copies some file/files across the file-system. These modifications of the file-system are probably made within C:\Windows\System32 directory. The system32 folder is a very interesting place for malware writers to hide their malicious files.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-2
Analyze the file Lab01-02.exe.
Questions
1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
4. What host- or network-based indicators could be used to identify this malware on infected machines?
My answers:
1) Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
After scanning Lab01-02.exe using 72 different antivirus engines 54 of them indicated this file as malware. This is enough confirmation to treat this executable as malicious.
2) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
As earlier, it's worth to investigate imports, strings, the difference between virtual size and raw size of .text section using pestudio, and check the whole structure of suspected file using exeinfope tool.
1. Strings and imports:
pestudio shows strings and imports correctly. Nothing is hidden or encrypted so for now on I think that the suspected file isn't packed or obfuscated.
2. The difference between virtual-size and raw-size of .text section:
This screenshot shows that virtual-size is less than raw-size. It means that everything is correct and the file isn't packed or obfuscated if we consider this fact. Again, if virtual-size had been significantly greater than raw-size, the file would have been packed or obfuscated.
3. Information from exeinfope:
exeinfope tool confirmed my suspicions that Lab01-02.exe isn't packed or obfuscated.
3) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
List of significant imports from Lab01-02.exe:
- CreateServiceA
- StartServiceCtrlDispatcherA
- OpenSCManagerA
- InternetOpenUrlA
- InternetOpenA
The first three functions on the above list which are CreateServiceA, StartServiceCtrlDispatcherA and OpenSCManagerA tell us that Lab01-02.exe tends to be running as a service on Windows. InternetOpenUrlA and InternetOpenA functions are responsible for establishing the connection between two hosts across the internet. So to sum up: the suspected program is a service which probably talks to another host - maybe C&C server. It's strange but from now on we only know that Lab01-02.exe establishes connection but not making any further action based on this.
4) What host- or network-based indicators could be used to identify this malware on infected machines?
If we take a look at strings of the executable using pestudio tool, there is a MalService string at the end of the list. This might be a host-based indicator since it's probably the name of the malicious service. If we find this string on the list of running services, the system is probably infected. On the list of strings, there is also http://www.malwareanalysisbook.com. The suspected file probably establishes a connection with this domain. This means that malwareanalysisbook site is a network-based indicator of infected machines.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-3
Analyze the file Lab01-03.exe.
Questions
1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
4. What host- or network-based indicators could be used to identify this malware on infected machines?
My answers:
1) Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
After scanning Lab01-02.exe using 73 different antivirus engines 55 of them indicated this file as malware. This is enough confirmation to treat this executable as malicious. Therefore we have to be careful while analyzing it.
2) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
As usual, we have to check the Import Table, the difference between virtual-size and raw-size of the .text section. In the end, it's worth examining the suspected program with exeinfope tool.
1. Imports and strings:
The number of imports is very suspicious and abnormal. There are only 2 functions imported by the whole executable. In addition, these methods are able to load other functions from any dll across the whole Windows OS. Based on this I would say that this file is packed even though the number of strings is big enough to be "normal".
2. Difference between virtual-size and raw-size of .text section:
There are three very strong indicators that this file is packed indeed. Firstly, all sections of Lab-01-03.exe don't have names so the result of compiler work has changed. Secondly, raw-size of .text section (probably .text) is 0 and this is simply impossible. Finally, virtual-size is much larger than raw-size in case of .text section. I'm not sure that this data is from .text section but it's very likely. Again, I would say that this file is packed.
3. Checking my assumption with exeinfope:
exeinfope stated that Lab01-03.exe is packed with FSG packer. Easy way to unpack executable packed by FSG doesn't exist so I think it should be done with debugger and some low-level modification magic. This kind of interesting stuff will be provided by the book in later chapters so for now on I'm not able to unpack this executable.
3) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
As I mentioned in the answer to the second question, the analyzed program has only two imports. Here they are LoadLibraryA and GetProcAddress. These functions are used to import other methods from any dll across the system so they don't tell us anything.
4) What host- or network-based indicators could be used to identify this malware on infected machines?
I looked into strings that were not really encrypted but nothing caught my attention. The rest of the file is packed so it has to be unpacked to answer this question.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Lab 1-4
Analyze the file Lab01-04.exe.
Questions
1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
3. When was this program compiled?
4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
5. What host- or network-based indicators could be used to identify this malware on infected machines?
6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
My answers:
1) Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
After scanning Lab01-02.exe using 72 different antivirus engines 61 of them indicated this file as malware. This is enough confirmation to treat this executable as malware.
2) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Three parts make the whole process of analysis if a file is obfuscated or packed. As usual, I focused on the number of imports and string within the file, the difference between its virtual-size and raw-size in the .text section, and the result of work done by exeinfope tool.
1. Imports and strings:
114 strings and 34 imports mean that the file isn't packed or obfuscated for now on.
2. The difference between virtual-size and raw-size in the .text section:
As you can see virtual-size is smaller than raw-size and the difference between them isn't large. It's obviously a normal situation so there is another indicator that this file isn't packed or obfuscated.
3. Checking lab01-04.exe with exeinfope tool:
exeinfope has confirmed that the analyzed file isn't packed or obfuscated.
3) When was this program compiled?
This information can be gathered from IMAGE_FILE_HEADER of lab01-04.exe file using pestudio tool.
The time of the compilation is Fri Aug 30 15:26:59 2019. The date is manipulated for sure since the book was released in 2012. This is an example that we shouldn't believe compiler-stamps.
4) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Significant imports of lab01-04.exe:
- OpenProcessToken
- LookupPrivilegeValueA
- AdjustTokenPrivileges
- WriteFile
- CreateFileA
- MoveFileA
- WinExec
- CreateRemoteThread
The list of significant imports is quite big compared to earlier examples. From looking at these functions I would tell that this executable probably creates another malicious file but this time within one of the directories with specific privileges. OpenProcessToken, LookupPrivilegeValueA, and AdjustTokenPrivileges might be used for this reason or to simply raise privileges of the created file, then use them to gain more benefits from victim's Windows. The last two functions are also very interesting. I think that they are used for execute some code inside the created process after setting correct privileges. lab01-04.exe can be used to prepare a new, dangerous program.
5) What host- or network-based indicators could be used to identify this malware on infected machines?
To determine host or network-based indicators that could be used to identify this malware on infected machines we have to look for suspicious strings. First of all, there is a name of the process that might be created by the malware - winup.exe. I would look at this file in further analysis for sure, but I can be wrong that this program is malicious. Next SeDebugPrivilege is one of the best hints at what this malware does. Without any reverse engineering, I'm able to tell that the malicious program tries to get this privilege probably on the new file. When the exemplary process owns this privilege then it has access to all processes across the system and can do process replacement for example by placing the shellcode even in System files. Doing this an attacker has a straight path to add itself to administrators and then we are done. :) The network-based indicator is the domain http://www.practicalmalwareanalysis.com/updater.exe. In the strings there is URLDownloadToFile so it might be a function that downloads updater.exe from the mentioned site and write the content into winup.exe to hide from the victim. Everything points to that lab01-04.exe is a downloader.
6) This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
IMAGE_DOS_HEADER is visible in the ascii representation of the sequence of bytes within the examined resource. Therefore I had decided to extract this resource to the binary file and then have tried to look deeper into it using pestudio. To extract a resource into a binary file -> Action -> Save resource to a BIN file.
Imports were very interesting to research within the saved binary file so here they are:
As you can see the executable hidden in the resource section imports the URLDownloadToFileA function and not lab01-04.exe itself. Now we know that networking action is being done by the executable code from resource section. :)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
That's all from chapter number one. I'm sure that the next chapters will be even more interesting and for sure more sophisticated than this one.
I invite you to express constructive criticism if I've done something wrong since as of this writing I'm a student in this topic, not an expert. :)
Thank you for reading.
Cheers!
Learning Of Malware Analysis. Basic Static Analysis Labs From "Practical Malware Analysis" Book >>>>> Download Now
ReplyDelete>>>>> Download Full
Learning Of Malware Analysis. Basic Static Analysis Labs From "Practical Malware Analysis" Book >>>>> Download LINK
>>>>> Download Now
Learning Of Malware Analysis. Basic Static Analysis Labs From "Practical Malware Analysis" Book >>>>> Download Full
>>>>> Download LINK dt