I am trying to acquire some knowledge on malware analysis by using ‘Practical Malware Analysis’ (by Sikorski, Michael, and Andrew Honig, 2012). I will publish my solutions of the exercises as soon as I complete them; here you can find all the executables for the labs.
NOTE: I will try to use Linux utilities (such as pev, wrestool and Detect It Easy) instead of the Windows tools which are mentioned in the book.
The first chapter was about basic static analysis techniques, you can find some notes about it in this repo.
Lab 1-1
- Upload the files to VirusTotal and view the reports. Does either file match any existing antivirus signatures?
Uploading the files on VirusTotal, the results are that Lab01-01.dll is flagged as malicious by 34 engines, and Lab01-01.exe by 41. Here are links to the reports for Lab01-01.dll and Lab01-01.exe.
- When were these files compiled?
I used pev to detect the timestamp of the compilation:
$ readpe Lab01-01.dll | grep "time stamp"
Date/time stamp: 1292775398 (Sun, 19 Dec 2010 16:16:38 UTC)
$ readpe Lab01-01.exe | grep "time stamp"
Date/time stamp: 1292775379 (Sun, 19 Dec 2010 16:16:19 UTC)
- Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
The output of strings on both the files does not include LoadLibrary or GetProcAddress. We can have confirmation that these are not packed by using Detect It Easy:
$ diec Lab01-01.dll
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0)[DLL32]
$ diec Lab01-01.exe
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0)[DLL32]
If the given file is packed, the diec command would list the packer used in the output.
- Do any imports hint at what this malware does? If so, which imports are they?
pev allows us to check the imported functions by using the -i flag, for instance:
$ readpe -i Lab01-01.dll
Imported functions
Library
Name: KERNEL32.dll
Functions
Function
Hint: 662
Name: Sleep
Function
Hint: 68
Name: CreateProcessA
Function
Hint: 63
Name: CreateMutexA
Function
Hint: 493
Name: OpenMutexA
Function
Hint: 27
Name: CloseHandle
Library
Name: WS2_32.dll
Functions
Function
Ordinal: 23
Function
Ordinal: 115
Function
Ordinal: 11
Function
Ordinal: 4
Function
Ordinal: 19
Function
Ordinal: 22
Function
Ordinal: 16
Function
Ordinal: 3
Function
Ordinal: 116
Function
Ordinal: 9
Library
Name: MSVCRT.dll
Functions
Function
Hint: 157
Name: _adjust_fdiv
Function
Hint: 657
Name: malloc
Function
Hint: 271
Name: _initterm
Function
Hint: 606
Name: free
Function
Hint: 704
Name: strncmp
In order to make the blog post more readable, I’ll summarize the findings and list only the interesting functions.
- Lab01–01.exe imports functions from
KERNEL32.dllandMSVCRT.dll - Lab01–01.dll imports functions from
KERNEL32.dll,MSVCRT.dll, andWS2_32.dll
KERNEL32.dll contains important functionalities (like access and edit memory and files), thus is a common DLL to import. It is interesting to note the presence of FindFirstFileA and FindNextFileA in Lab01–01.exe, and CreateProcessA in Lab01–01.dll.
WS2_32.dll is used for network functionalities, but in this case is imported by ordinals, thus we don’t have many additional information.
- Are there any other files or host-based indicators that you could look for on infected systems?
Using strings on Lab01-01.exe file, we can see some interesting findings, such as:
kerne132.dllkernel32.dllC:\windows\system32\kerne132.dllKernel32.Lab01-01.dllC:\Windows\System32\Kernel32.dllWARNING_THIS_WILL_DESTROY_YOUR_MACHINE(my favorite)
In particular, we can assume the existence of the file named kerne132.dll (with a 1 instead of an l) for infected machines.
- What network-based indicators could be used to find this malware on infected machines?
Using strings on Lab01-01.dll, we can see an IP address: 127.26.152.13.
- What would you guess is the purpose of these files?
Other interesting results running strings are: exec, hello, CreateProcess and sleep; which are names of functions. Based on the findings provided, we can say that these two files may be used to create a backdoor.
Lab 1-2
- Upload the Lab01-02.exe file to VirusTotal. Does it match any existing antivirus definitions?
The file is considered malicious by 55 engines, here is the report.
- Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Detect It Easy finds that UPX has been used in this case:
$ diec Lab01-02.exe
PE: packer: UPX(3.04)[NRV,best]
PE: compiler: Microsoft Visual C/C++(6.0)[-]
PE: linker: Microsoft Linker(6.0)[EXE32,console]
We can then proceed to unpack the file with the following command:
$ upx -d -o Lab01-02_unpacked.exe Lab01-02.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX git-d7ba31+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
16384 <- 3072 18.75% win32/pe Lab01-02_unpacked.exe
Unpacked 1 file.
- Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
As shown in the previous exercise, we can use readpe -i to check the imported functions. Here are the interesting findings:
KERNEL32.DLL:SystemTimeToFileTime,GetModuleFileNameA,CreateMutexA,CreateThreadandSetWaitableTimerADVAPI32.DLL:CreateServiceA,StartServiceCtrlDispatcherAandOpenSCManagerAWININET.DLL:InternetOpenUrlAandInternetOpenA
In particular, the last DLL file suggests that the file is communicating over the Internet.
- What host or network-based indicators could be used to identify this malware on infected machines?
Again, strings is our friend: MalService, Malservice, HGL345,http://www.malwareanalysisbook.com and Internet Explorer 8.0. These results are suggesting that the file is creating a service (probably MalService?) and connecting to the URL.
Lab 1-3
- Upload the Lab01-03.exe file to VirusTotal. Does it match any existing antivirus definitions?
Lab01-03.exe is detected as malicious by 64 engines, here is the report.
- Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Scanning the file with diec shows that it is packed with FSG 1.0:
$ diec Lab01-03.exe
PE: packer: FSG(1.0)[-]
PE: linker: unknown(0.0)[EXE32,console]
Unfortunately it is not possible (AFAIK) to unpack it with upx, thus I cannot proceed:
$ upx -d Lab01-03.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX git-d7ba31+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: Lab01-03.exe: NotPackedException: not packed by UPX
Unpacked 0 files.
- Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Being still packed, we have limited visibility on Lab01–03.exe. We can only see that it imports KERNEL32.DLL and uses the following functions: LoadLibraryA and GetProcAddress.
$ readpe -i Lab01-03.exe
Imported functions
Library
Name: KERNEL32.dll
Functions
Function
Hint: 0
Name: LoadLibraryA
Function
Hint: 0
Name: GetProcAddress
- What host or network-based indicators could be used to identify this malware on infected machines?
In this case, strings does not help us a lot, because the file is packed.
Again we see LoadLibraryA and GetProcAddress. Some of the other strings seems to refer to OLE.
Lab 1-4
- Upload the Lab01-04.exe file to VirusTotal. Does it match any existing antivirus definitions?
The file is detected as malicious by 61 engines, here is the report.
- Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
The file does not seem to be packed:
$ diec Lab01-04.exe
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0*)[EXE32]
- When was this program compiled?
The time stamp reported seems suspicious 🤔, considering that the book was published in 2012:
$ readpe Lab01-04.exe | grep "time stamp"
Date/time stamp: 1567204019 (Fri, 30 Aug 2019 22:26:59 UTC)
It was probably modified, thus it’s not clear when the file was actually compiled.
- Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Here are the imports found with readpe -i:
ADVAPI32.dll:AdjustTokenPrivileges,LookupPrivilegeValueAandOpenProcessToken.KERNEL32.dll:CreateRemoteThread,MoveFileA,SizeofResource,LoadResource,GetModuleHandleA,OpenProcess,GetWindowsDirectoryA,WriteFile,GetCurrentProcess,CreateFileA,GetProcAddress,FindResourceA,LoadLibraryAandWinExec.
Considering the functions used, we can say that the program will try to access protected files (SizeOfResource, FindResource, LoadResource, LookupPrivilegeValueA and AdjustTokenPrivilages) and create and execute files (CreateFile, WriteFile and WinExec).
- What host or network-based indicators could be used to identify this malware on infected machines?
Here are the host and network-based indicators that can be found using strings:
- host-based:
C:\WINDOWS\system32\wupdmgrd.exeandwinup.exe - network-based:
http://www.practicalmalwareanalysis.com/updater.exe
- This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
We can list and extract the resources from a Windows binary using wrestool:
$ wrestool -l Lab01-04.exe
--type='BIN' --name=101 --language=1033 [offset=0x4060 size=16384]
$ wrestool -x --raw --output=Lab01-04.bin Lab01-04.exe
- VirusTotal report
- Not packed:
$ diec Lab01-04.bin
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0)[EXE32]
- Compiled on
1298765819 (Sun, 27 Feb 2011 00:16:59 UTC). - Imports:
KERNEl32.dll(WinExec) andurlmon.dll(URLDownloadToFileA) - Interesting strings:
\system32\wupdmgr.exe,winup.exeandwww.malwareanalysisbok.com/updater.exe
Considering the information obtained, we can assume that the Lab01-04.exe file will be used to change permissions to write in a directory and drop and execute the hidden resource, which contacts the network to download and run additional malware.