In this lab, you will analyze the malware found in the file Lab06–01.exe.
- What is the major code construct found in the only subroutine called by main?
sub_401000 is the only subroutine called in what looks to be an if else statement. There is a jnz conditional where loc_401056 may be called, else it doesn’t.
sub_401000 looks to simply check if there is internet connectivity
2. What is the subroutine located at 0x40105F?
The subroutine located at 0x40105F is part of the sub_401000, where it looks like it is called whether there is internet or not.
The subroutine sub_40105F is an unlabeled printf call
3. What is the purpose of this program?
This program looks to check the internet connectivity and then print out the results.
Analyze the malware found in the file Lab06–02.exe.
- What operation does the first subroutine called by main perform?
First subroutine is the same as the first lab: an if statement that checks if there is internet connectivity. We go ahead and rename it.
2. What is the subroutine located at 0x40117F?
Subroutine looks like the same unlabeled printf. We go ahead and rename it.
3. What does the second subroutine called by main do?
The second subroutine is sub_401040, only is called once CheckInternet confirms there is internet. It looks to establish a connection to the URL “http://www.practicalmalwareanalysis.com” with user agent “Internet Explorer 7.5/pma”.
4. What type of code construct is used in this subroutine?
Looking at the graphical view of the subroutine, there are 4 paths that can be executed.
If the connection fails, then the Error 2.1 will execute and the program will return back to main.
If the connection is successful but the file cannot be read, Error 2.2 will be printed and the program will return back to main
Else the file from the internet is read and up to 200h (512) bytes are stored in “Buffer”. There is then checks to ensure this file starts with “<! —” which would indicate the beginning of an HTML comment.
If at any point any of those fail, Error 2.3 would be printed.
5. Are there any network-based indicators for this program?
The user agent and URL
6. What is the purpose of this malware?
This program checks for internet connectivity, then downloads a file from the internet and reads the HTML comment. Command is the parsed, results printed and then sleeps.
In this lab, we’ll analyze the malware found in the file Lab06–03.exe.
- Compare the calls in main to Lab 6–2’s main method. What is the new function called from main?
There is now a call to the subroutine sub_401130 after a successful HTML comment is parsed.
2. What parameters does this new function take?
This new function takes in the parameters arg_0 and lpexistingfilename
3. What major code construct does this function contain?
This looks to be a switch statement with a jump table, as there are jmp conditions for each block.
4. What can this function do?
To answer this, we’re going to go thru every potential path.
Path 1: no valid command, program sleeps and then terminates
Path 2: Valid command and the registry value “Software\\Microsoft\\Windows\\CurrentVersion\\Run” is opened and the path “C:\\Temp\\cc.exe” is set as the key with “Malware” as the Value
- This either ends in success or ends in Error 3.1 Could not set Registry value.
Path 3: Delete the file located at C:\\Temp\\cc.exe
Path 4: Copy File located at C:\\Temp\\cc.exe
Path 5: Create the directory C:\\Temp\\
5. Are there any host-based indicators for this malware?
The directory and file path as well as the registry key
6. What is the purpose of this malware?
Same purpose as the previous files, except this one also has extra persistence mechanisms.
In this lab, we’ll analyze the malware found in the file Lab06–04.exe.
- What is the difference between the calls made from the main method in Labs 6–3 and 6–4?
2. What new code construct has been added to main?
Same functions, just this time it looks like its running in a loop. After the commands are ran the program loops over until 540h or 1440 has passed.
3. What is the difference between this lab’s parse HTML function and those of the previous labs?
The user agent is now iterative and will change with each request.
4. How long will this program run? (Assume that it is connected to the Internet.)
After every command the program sleeps 600000 milliseconds or 60 seconds or 1 minute. Multiplying that with our counter 1440 which we assume is in minutes gives us 1440 minutes which is 24 hours. This program will run for 24 hours.
5. Are there any new network-based indicators for this malware?
The user agent and domain
6. What is the purpose of this malware?
Same purpose as the previous files but this time on a loop that runs 24 hours.
