Analyze the malware found in the file Lab07–01.exe.
- How does this program ensure that it continues running (achieves persistence) when the computer is restarted?
Looking into the imports, there is a CreateServiceA at 00404000. This is most likely used to establish persistence. We can see that this function is called in the entry point of the malware. There is a string for the Service name “MalService” and sub_401040 used in the Service start table.
The windows API StartServiceCtrlDispatcher is used to “Connect the main thread of a service process to the service control manager, which causes the thread to be the service control dispatcher thread for the calling process.” per MSDN.
2. Why does this program use a mutex?
Looking into sub_401040, there is a mutex created called “HGL345". This is the function where the service is also created. Mutex is created so only one instance of the malware is running. Not pictured below is a check before this to see if the mutex is already created.
3. What is a good host-based signature to use for detecting this program?
The service “Malservice” and Mutex “HGL345” are two good host based indicators.
4. What is a good network-based signature for detecting this malware?
Looking into the strings, we find a function called StartAddress with 2 good network based IOCs, the user agent and the URL.
5. What is the purpose of this program?
Program looks to create persistence with the service, creates a mutex, and then creates a thread that is used to reach out to the URL
6. When will this program finish executing?
This malware is configured to wait until January 1, 2100 which it then creates 20 threads in a loop to reach out to the URL. Resembling a timed DDOS attack.
Analyze the malware found in the file Lab07–02.exe.
- How does this program achieve persistence?
There doesn’t seem to be a persistence mechanism in this program.
There are calls for OleInitialize and CoCreateInstance which means this malware is using COM (Microsoft Component Object Model) to pull code from other software.
To identify what exactly the malware is calling we can look into the IID or CLSID which is pushed before the CoCreateInstance call.
CLSID —0002DF01–0000–0000-C000000000000046 (Internet Explorer)
IID — D30C1661-CDAF-11D0–8A3E00C04FC9E26E (IWebBrowser2)
The return value is stored in EAX.
2. What is the purpose of this program?
Program uses COM functionality to use IWebBrowser2 to navigate to the URL “http://www.malwareanalysisbook.com/ad.html”
The value at EAX is moved into EDX and when the call for the dword ptr is called, it will be the navigate function. The navigate function is at the offset of 0x2C for IWebBrowser2.
3. When will this program finish executing?
Doesn’t look to have any timer or anything. This will run once.
For this lab, we obtained the malicious executable, Lab07–03.exe, and DLL, Lab07–03.dll, prior to executing. This is important to note because the malware might change once it runs. Both files were found in the same directory on the victim machine. If you run the program, you should ensure that both files are in the same directory on the analysis machine. A visible IP string beginning with 127 (a loopback address) connects to the local machine. (In the real version of this malware, this address connects to a remote machine, but we’ve set it to connect to localhost to protect you.) This lab may cause considerable damage to your computer and may be difficult to remove once installed. Do not run this file without a virtual machine with a snapshot taken prior to execution. This lab may be a bit more challenging than previous ones. You’ll need to use a combination of static and dynamic methods, and focus on the big picture in order to avoid getting bogged down by the details.
We’re going to break this one down into looking at the DLL first and then the exe.
Within the DLL, there is first a check to see if the mutex “SADFHUHF” is on the host. If not the mutex is created and a socket is created to the IP “127.26.152.13”.
There is then a connect and a send for the string “hello”. There is then conditional loops where the program can continue receiving, shutdown, sleep, or execute a command.
.exe maps the files C:\\Windows\\System32\\Kernel32.dll and Lab07–03.dll
malware copies the DLL Lab07–03.dll to a new location and name: C:\windows\system32\kerne132.dll. Notice that the l in kernel is now a 1.
The malware then looks to call a sub_4011E0 and looks to enumerate for .exe files. Once an .exe is found, there is a call to sub_4010A0 which looks to replace the benign kernel32.dll with the malicious kernel132.dll
- How does this program achieve persistence to ensure that it continues running when the computer is restarted?
kerne132.dll replacing the benign copy
2. What are two good host-based signatures for this malware?
Mutex and fake kernel file created
3. What is the purpose of this program?
DLL checks for a mutex, creates one if not there to make sure only one version of the program is running. Reaches out to IP and has a options for commands. EXE creates
4. How could you remove this malware once it is installed?
Might have to do a full reset, since this malware looks to destroy all in order to get its DLL to run.
