Practical Malware Analysis Lab 1–1A

These labs posted are part of the curriculm available from Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software, by Michael Sikorski and Andrew Honig. I am not affiliated with the Authors. All rights reserved.

Lab 1–1

1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

Uploading the .dll file and .exe to VirusTotal, we can see that both files match antivirus signatures.

.dll file:

41 Security vendors flagged this file

.exe file:

48 Security Vendors flagged this file as malicious

2. When were these files compiled?

Checking the details provided by VirusTotal, .exe file was compiled:

And .dll was compiled:

3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

We can tell if a file is packed or obfuscated by analyzing the strings. Most malware will have lines upon lines of strings. If a file doesn’t have that many strings, then it is most likely packed

We check both file to see if they are packed with PEid,

.exe file

.dll file

PEid shows that neither of our files are packed.

4. Do any imports hint at what this malware does? If so, which imports are they?

We can check imports with the program Dependency Walker.

The .dll file imports three main functions as shown in the top left corner:

• KERNEL32.DLL — common DLL that contains core functionality, such as access and manipulation of memory, files, and hardware.
• WS2_32.DLL — networking DLL. A program that accesses either of these most likely connects to a network or performs network-related tasks.
• MSVCRT.DLL — Module containing standard C library functions such as printf, memcpy, and cos. It is a part of the Microsoft C Runtime Library.

Some important function imports include CreateProcessA and Sleep. The usage of WS2_32.DLL implies that this file use network capabilities.

From .exe file we see that it also imports KERNEL32.DLL and MSVCRT.DLL. The most interesting imported functions include FINDNEXTFILEA, FINDFIRSTFILEA, and COPYFILEA. This malware is trying to find a specific file and copying it.

5. Are there any other files or host-based indicators that you could look for on infected systems?

Utilizing the strings window on IDAPro we can see that there are two instances: Kerne132.dll and Kernel32.dll. We can search for this on infected systems.

6. What network-based indicators could be used to find this malware on infected machines?

With IDAPro we can find network information in the .dll file. We are able to find an IP address 127.26.152.13

7. What would you guess is the purpose of these files?

My guess is that the .dll file connects to a network. The .exe looks for a file and copies it. I think both work together to find the file and export it out of a victim.