Chapter 3¶

Lab 3-1¶

Analyze the malware found in the file Lab03-01.exe using basic dynamic analy- sis tools.

Analysis¶

As can be seen at the #Windows 10 Machine, doing dynamic analysis of the sample on a windows10 machine will result in the process werfault.exe to be generated. werfault.exe is a fault reporting mechanism of Windows 10.
Tested compatibility mode in two profiles Windows 7 and Windows XP and it will not work as well.
Addtionally, with reference to this articleand this too, this sample will not be able to run with Windows 10.
It seems like malware will only be able to run when a genuine Windows XP machine is used.
So we booted a #Windows XP Machine to detonate the malware and it worked!
From the ProcDot results below, we can see that Lab03-01.exe will create a new file vmx32to64.exe in system32 folder and add a new registry in HLKM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver to automatically start vmx32to64.exe on startup.
Additionally, Lab03-01.exe will also attempt to connect to www.practicalmalwareanalysis.com

Indicators of Compromise¶

Indicator	Indicator Type	Value
Hash (SHA1)	Host	`0BB491F62B77DF737801B9AB0FD14FA12D43D254`
File Created	Host	`Lab03-01.exe` `WINDOWS\system32\vmx32to64.exe`
Registry	Host	`HLKM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver`
URL Strings	Network	www.practicalmalwareanalysis.com

Screenshots¶

Lab03-01 Basic Static Analysis¶

Lab03-01.exe & vm32to64.exe

Information	Screenshot
Classification
Identifying Obfuscation & Packing
Imports
Strings

Lab03-01 Basic Dynamic Analysis¶

Windows 10 Machine¶

Pasted image 20220621132320.png Pasted image 20220621132328.png

Windows XP Machine¶

Lab03-01.exe

Tools	Screenshot
ProcDot
Proc Exp (Strings)
Proc Exp
Wireshark

vmx32to64.exe

Tools	Screenshots
ProcDot
Proc Exp(Strings)
Proc Exp
RegEdit

Lab 3-2¶

Analyze the malware found in the file Lab03-02.dll using basic dynamic analysis tools.

Questions¶

Question 4.¶

Which filters could you set in order to use procmon to glean information?

Analysis¶

This is a .dll, hence we will need to use rundll32.exe to run it. Based on this [[Windows Internals#run32dll exe|guide]], to run a dll file with rundll32.exe, we will need to know what is exported and call the exported functions.
Based on the exports, we find that there are 5 functions Install, installA, ServiceMain, UninstallA, Uninstall.
Based on the #Lab 3-2 Reverse Engineering code, we can see that installA will call Install which will install a service IPRIP onto the computer.
This is further confirmed by our dynamic analysis where we ran the malicious DLL and observed the changes in the registry.
After running the installation we will need to start the malicious service that is created to complete the execution of the malware.
This can be done by running the command net start IPRIP.
When a service is started, a svchost.exe proces will be started and hence we can look for the malicious service by sifting through all the svchost.exe processes and look for one that loads Lab03-02.dll.
With the PID gathered using ProcExp and filter for the particular PID.

Indicators of Compromise¶

Indicator	Indicator Type	Value
Hash (SHA1)	Host	C6FB3B50D946BEC6F391AEFA4E54478CF8607211
Registry	Host	Various new registry keys in `HKLM\System\CurrentControlSet\Services\IPRIP`
URL Strings	Network	www.practicalmalwareanalysis.com
HTTP Traffic	Network

Screenshots¶

Lab 3-2 Basic Static Analysis¶

Information	Screenshot
Classification
Identifying Obfuscation & Packing
Exports
Imports
Strings

Lab 3-2 Reverse Engineering¶

Description	Screenshot
installA
Install
uninstallA
UninstallService

Lab 3-2 Basic Dynamic Analysis¶

DLL Execution Overview¶

Pasted image 20220625031359.png

Failed Run

Tool	Screenshot
ProcDot

Successful Execution

Tool	Screenshot
ProcDot
RegEdit
Autoruns

Starting Malicious Service¶

Tool	Screenshot
ProcExp
ProcDot
apateDNS
HTTP Traffic

Lab 3-3¶

Execute the malware found in the file Lab03-03.exe while monitoring it using basic dynamic analysis tools in a safe environment.

Analysis¶

From our analysis, we can conclude that Lab03-03.exe is a loader that creates a svchost.exe process and injecting in memory into the process a keylogger.

Basic Static Analysis¶

From basic static analysis we can see that there is no signs of packing and obfuscation and some function imports and strings i.e SetThreadContext, WriteProcessMemory, NtUnmapViewOfSection that suggests that there is process hollowing going on.
We can also see that there is a resource named LOCALIZATION

Dynamic Analysis¶

Doing #Lab 3-3 Basic Dynamic Analysis we notice in ProcDot that Lab03-03.exe opens a svchost.exe process then kills itself. This svchost.exe process then writes into a file practicalmalwareanalysis.log and is still alive. This is a sign of process hollowing.
We open the file created to see that it is a keystroke log.
From process explorer we can see that there is a difference in strings of the image as compared to the strings of the memory of the svchost.exe process.
From the memory strings we can see strings that were not discovered during basic static analysis i.e UnhookWindowsHookEx, SetWindowsHookExA which are all imports that points to key logging.

Reverse Engineering¶

The reverse engineering confirms that there is process hollowing as the code pattern resembles the one explained here
Addtionally, we can see that there is a function that loads the resource LOCALIZATION and decodes the resource. As we can see from the decode function, XOR encoding was used.
Resource was extracted with resource hacker and decoded with cyberchef and we can see that there is MZ and This program cannot be run in DOS mode. which is the header for executables.
We then did some basic static analysis and we can see that there are some function imports that resembles the strings that are captured from memory.
Reverse Engineering of LOCALIZATION_decoded.bin we find a keyloggin function.

Indicators of Compromise¶

Indicator	Indicator Type	Value
Hash (SHA1)	Host	DAF263702F11DC0430D30F9BF443E7885CF91FCB
File Created	Host	practicalmalwareanalysis.log

Screenshots¶

Lab 3-3 Basic Static Analysis¶

Lab03-03.exe¶

Information	Screenshot
Classification
Identifying Obfuscation & Packing
Imports
Strings
Resource

LOCALIZATION_decoded.bin¶

Information	Screenshot
Classification
Imports
Strings

Lab 3-3 Reverse Engineering¶

Lab03-03.exe¶

Functions	Screenshots
Process Hollowing
Loading Resource
Decoding Resource
Decoded Resource

LOCALIZATION_decoded.bin¶

Function	Screenshots
KeyLogging

Lab 3-3 Basic Dynamic Analysis¶

Tool	Screenshot
ProcDot
ProcExp
File Created : practicalmalwareanalysis.log

Lab 3-4¶

Analyze the malware found in the file Lab03-04.exe using basic dynamic analysis tools. (This program is analyzed further in the Chapter 9 labs.)

Analysis¶

Application quits and deletes itself preventing further analysis. Reverse engineering found that the application checks for several conditions before it executes and if some conditions are available it will terminate it's process and delete itself.
Hence we will need to patch the executable by changing the code flow in the debugger so that it bypasses this checking.

Basic Static Analysis¶

From #Lab 3-4 Basic Static Analysis we can see that there is no packing used and there does not seem to be any obfuscation.

Dynamic Analysis¶

From ProcDot, we can see that the applicatin will run set a few registries in the HKCU and deletes itself.
No network connection was made even though there were imports and strings which suggests that this malware has such capabilities.
Likely, malware terminates itself after realising that it is in an unfavorable environment.

Reverse Engineering¶

Based on reverse engineering we found a function that will look for the executable file, delete the executable file and terminate the malicious process.
We also found that there are 7 instances of the function being called.
These 7 instances are all within one function which does certain checks.
This function is then called by the entry function