Lab 1-2 | Practical Malware Analysis

1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?



2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.




3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?


So here we can see that it starts with ADVAPI32.dll, which has to do with privileges.
The CreateService will create a service object and install it in the service control manager database, but what does a service mean?
From MSDN:

A service application conforms to the interface rules of the Service Control Manager (SCM). It can be started automatically at system boot, by a user through the Services control panel applet, or by an application that uses the service functions. Services can execute even when no user is logged on to the system
So a service would be somewhat similar to the concept of a daemon in Unix, which is a program that
operates in the background performing tasks.

The StartServiceCtrilDispatcher function will connect the main thread of a service process to the service control manager, causing this same thread to be the service control dispatcher thread for the calling process.

When the service control manager starts a service process, it waits for the process to call the StartServiceCtrlDispatcher function. The main thread of a service process should make this call as soon as possible after it starts up (within 30 seconds). If StartServiceCtrlDispatcher succeeds, it connects the calling thread to the service control manager and does not return until all running services in the process have entered the SERVICE_STOPPED state.
Pretty self explanatory.

Finally OpenSCManagerA:

Establishes a connection to the service control manager on the specified computer and opens the specified service control manager database.

So until here we can determine it auto-starts some kind of process that keeps running in the background.

In the KERNEL32.dll part, it’s creating a set of processes, mutex and threads (CreateThread, CreateMutexA, OpenMutexA, ExitProcess), setting timers to perform tasks (SetWaitableTimer followed by WaitForSingleObjectA, CreateWaitableTimerA followed by ExitProcess) and collecting file information (SystemTimeToFileTime, GetModuleFileNameA).

Couldn’t really say what’s going on there, also the book didn’t offer much information about it either way.

And finally WININET.dll, which is used by Windows to perform internet related tasks.
This will call InternetOpenUrlA and InternetOpenA.
The main difference is that the latter one will initialize the internet related functionalities and the other one will start a resource specified by a URL.

So that one tells us that it’s calling something via URL, it could be to download malware or to send the files it fetched in the earlier step to a listener. I can’t be 100% sure, but I’d say it’s the latter one. Or both. It just makes sense.

4. What host- or network-based indicators could be used to identify this malware on infected machines?

Yes there are, and I didn’t need IDA Pro for this one.

Comments

Popular Posts