Chapter 1¶
Lab 1-1¶
This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below.
Questions¶
Question 1.¶
Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
- Yes there are detections by various AV vendors.
Question 2.¶
When were these files compiled?
- Based on PEStudio,
Lab01-01.exewas compiled on 19 Dec 2010 16:16:19 andLab01-01.dllwas compiled on 19 Dec 2010 16:16:38
Question 3.¶
Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
- Based on PEiD, the low Entropy as well as the imports being very obvious there are no signs of packing
- Malware does not seem to be obfuscated as there is a lot of plain text around and entropy is low.
Question 4.¶
Do any imports hint at what this malware does? If so, which imports are they?
- Lab01-01.exe
| Imports | Function |
|---|---|
| MapViewOfFile,CreateFileMappingA | Loads File into ram and can be used to execute a file without using Windows Loader |
- Lab01-01.dll
| Imports | Function |
|---|---|
| ws2_32.dll : socket, send, recv, inetaddr | Using sockets to send and receive data |
| CreateProcessA | Creates a new process |
Question 5.¶
Are there any other files or host-based indicators that you could look for on infected systems?
- Based on the strings of
Lab01-01.exewe can see that there is a particular file pathC:\windows\system32\kerne132.dll.1is used instead oflwhich might be indicative of a malicious.dllin that path. We could be able to find thiskerne132.dllon the infected host.
Question 6.¶
What network-based indicators could be used to find this malware on infected machines?
- Based on the strings of
Lab01-01.dll, we see what seems to be an IP address127.26.152.13. We could filter for this IP address when we look through the network logs.
Question 7.¶
What would you guess is the purpose of these files?
- It is likely that
Lab01-01.exeis likely the loader andLab01-01.dlllikely contains the file malicious payload. - One possibility is also that
Lab01-01.exeis executed and it will change the name ofLab01-01.dlltokernel132.dll - It might be a reverse shell/beacon as there are network connectivity imports in the
.dllas well as a hardcoded IP address.
Screenshots¶
- Lab01-01.exe
| Tool | Evidence |
|---|---|
| VirusTotal |  |
| Classification |  |
| Identify Packing/Obfuscation |  |
| Imports |  |
| Strings |  |
- Lab01-01.dll
| Tool | Evidence |
|---|---|
| VirusTotal |  |
| Classification |  |
| Identify Packer/Obfuscation |  |
| Imports |  |
| Strings |  |
Lab 1-2¶
Analyze the file Lab01-02.exe.
Questions¶
Question 1.¶
Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
- Yes, there are detection by various AVs.
Question 2.¶
Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
- Packing is observed, due to the unusually small amount of imports and strings that does not make sense.
- It is packed by UPX. This can be seen using PEiD and the section headers when using CFF explorer or PEStudio.
- File can be unpacked using CFF explorer built-in UPX unpacker.
Question 3.¶
Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
| Import(s) | Function |
|---|---|
| CreateServiceA, OpenSCManagerA |
Maintain Persistency by creating a service |
| InternetOpenUrlA, InternetOpenA |
Surfs a webpage |
Question 4.¶
What host- or network-based indicators could be used to identify this malware on infected machines?
- Based on the string we see a URL
www.malwareanalysisbook.comand we can filter for this URL in network logs if it exists. - As this malware could possibly create a service,
Malservicecould be a possible host based indicator. We can check Windows Event Logs withEventViewer, underWindows Logs>Systemand look for events with the Source set to Service Control Manager (SCM). - We can also look at
Applications and Services Logsand look for malservice to see what it did.
Screenshots¶
- Packed Malware
| Purpose | Evidence |
|---|---|
| VirusTotal |  |
| Classification |  |
| Identify Packing/Obfuscation |   |
| Imports |   |
| Strings |   |
- Unpacked Malware
| Purpose | Evidence |
|---|---|
| VirusTotal |  |
| Classfication |  |
| Imports |   |
| Strings |   |
Lab 1-3¶
Analyze the file Lab01-03.exe.
Questions¶
Question 1.¶
Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
- Yes there are detections by various AVs.
Question 2.¶
Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
- Yes although entropy level is low but imports only has 2 functions, the section headers are empty and the lack of strings indicate the possibility packing.
- PEiD, DiE and PEStudio all shows packing with signature
FSG 1.0. - #Unpacking Process is shown below.
Question 3.¶
Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
- Lab01-03.exe
| Import(s) | Function |
|---|---|
LoadLibraryA GetProcAddress |
Used by packer |
- Lab01-03_extracted.exe
| Import(s) | Function |
|---|---|
Question 4.¶
What host- or network-based indicators could be used to identify this malware on infected machines?
- Indicators of Compromise
| Type | Indicator |
|---|---|
| Network | http://malwareanalysisbook.com/ad.html |
Screenshots¶
- Packed
| Purpose | Evidence |
|---|---|
| VirusTotal |  |
| Classfication |  |
| Identify Packer/Obfuscation |    |
| Imports |   |
| Strings |  |
- Unpacked
| Purpose | Evidence |
|---|---|
| VirusTotal |  |
| Classfication |  |
| Imports |   |
| Strings |      |
Unpacking Process¶
- As this is packed using FSG 1.0 which is well known, there are x96dbg scripts already available here and here.
| Steps | Screenshots |
|---|---|
| Step 1 Go to the script tab |
 |
| Step 2 Load the script |
 |
| Step 3 Run the script by hitting spacebar As we can see on the right, Script was ran successfully and OEP is found |
 |
| Step 4 Run the Scylla Plugin |
 |
| Step 5 As can be seen on the left we do an initial dump of the unpacked executable |
 |
| Step 6 Do an IAT Autosearch The IAT info fields will be filled when autosearch is successful. |
 |
| Step 7 Get the imports to see if there are any broken imports |
 |
| Step 8 Lastly, make sure the imports are all good and fix the unpacked PE dump |
|
Lab 1-4¶
Analyze the file Lab01-04.exe.
Questions¶
Question 1.¶
Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
- Yes, it was flagged as malicious by VirusTotal
Question 2.¶
Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
- There are visible strings, imports and sections are normal and entropy is low thus suggesting that sample is not packed and not obfuscated.
Question 3.¶
When was this program compiled?
| Binary | Compile Time |
|---|---|
| Lab01-04.exe | Fri Aug 30 22:26:59 2019 UTC |
| Extracted Binary | Sun Feb 27 00:16:59 2011 UTC |
Question 4.¶
Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
- Lab01-04.exe
| Imports | Function |
|---|---|
CreateRemoteThread LoadLibraryA |
Dll Injection |
OpenProcessToken AdjustTokenPrivileges GetModuleHandle LookupPrivilegeValue |
Token Impersonation |
OpenProcess, GetProcAddress |
Process Creation |
MoveFileA, CreateFileA, GetWindowsDirectory |
File creation and modification |
- Extracted Binary File
| Import | Function |
|---|---|
WinExec |
Execute File |
URLDownloadToFileA |
Downloading from C2 |
Question 5.¶
What host- or network-based indicators could be used to identify this malware on infected machines?
- Indicators of Compromise
| Type | Indicator |
|---|---|
| Host | \system32\wupdmgr.exe \winup.exe |
| Host | winlogon.exe |
| Network | http://www.practimalwareanalysis.com/updater.exe |
- Based on the host based indicators above, we can likely check host for file with the name of
wupdmgr.exein thesystem32directory and forwinup.exe. We can likely compare the hashes of these files with the hashes we obtained above. - It is likely, that there is a process creation going on, and the process targeted coule be
winlogon.exe - Lastly, a connection is likely to be made to
http://practicalmalwareanalysis.com/updater.exeto downloadupdater.exewhich would be executed by the malware.
Question 6.¶
This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
- Within the executable's resource there is another executable.
- This is likely a two stage malware.
Lab01-04.exeis likely used to load the binary that is in the resource. - The binary within
Lab01-04.exeis likely a downloader that downloads from URLhttp://www.practicalmalwareanalysis.com/updater.exe
Screenshots¶
- Lab01-04.exe
| Purpose | Evidence |
|---|---|
| VirusTotal | link |
| Classfication |  |
| Imports |   |
| Strings |   |
| Resources |  |
- Extracted Binary File
| Purpose | Evidence |
|---|---|
| VirusTotal | link |
| Classfication |  |
| Imports |   |
| Strings |  |