Practical malware analysis: solutions for Lab 1

I am trying to acquire some knowledge on malware analysis by using ‘Practical Malware Analysis’ (by Sikorski, Michael, and Andrew Honig, 2012). I will publish my solutions of the exercises as soon as I complete them; here you can find all the executables for the labs.

NOTE: I will try to use Linux utilities (such as pev, wrestool and Detect It Easy) instead of the Windows tools which are mentioned in the book.

The first chapter was about basic static analysis techniques, you can find some notes about it in this repo.

Lab 1-1

  1. Upload the files to VirusTotal and view the reports. Does either file match any existing antivirus signatures?

Uploading the files on VirusTotal, the results are that Lab01-01.dll is flagged as malicious by 34 engines, and Lab01-01.exe by 41. Here are links to the reports for Lab01-01.dll and Lab01-01.exe.

  1. When were these files compiled?

I used pev to detect the timestamp of the compilation:

$ readpe Lab01-01.dll | grep "time stamp"
Date/time stamp:                 1292775398 (Sun, 19 Dec 2010 16:16:38 UTC)
$ readpe Lab01-01.exe | grep "time stamp"
Date/time stamp:                 1292775379 (Sun, 19 Dec 2010 16:16:19 UTC)
  1. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

The output of strings on both the files does not include LoadLibrary or GetProcAddress. We can have confirmation that these are not packed by using Detect It Easy:

$ diec Lab01-01.dll
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0)[DLL32]
$ diec Lab01-01.exe
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0)[DLL32]

If the given file is packed, the diec command would list the packer used in the output.

  1. Do any imports hint at what this malware does? If so, which imports are they?

pev allows us to check the imported functions by using the -i flag, for instance:

$ readpe -i Lab01-01.dll
Imported functions
    Library
        Name:                            KERNEL32.dll
        Functions
            Function
                Hint:                            662
                Name:                            Sleep
            Function
                Hint:                            68
                Name:                            CreateProcessA
            Function
                Hint:                            63
                Name:                            CreateMutexA
            Function
                Hint:                            493
                Name:                            OpenMutexA
            Function
                Hint:                            27
                Name:                            CloseHandle
    Library
        Name:                            WS2_32.dll
        Functions
            Function
                Ordinal:                         23
            Function
                Ordinal:                         115
            Function
                Ordinal:                         11
            Function
                Ordinal:                         4
            Function
                Ordinal:                         19
            Function
                Ordinal:                         22
            Function
                Ordinal:                         16
            Function
                Ordinal:                         3
            Function
                Ordinal:                         116
            Function
                Ordinal:                         9
    Library
        Name:                            MSVCRT.dll
        Functions
            Function
                Hint:                            157
                Name:                            _adjust_fdiv
            Function
                Hint:                            657
                Name:                            malloc
            Function
                Hint:                            271
                Name:                            _initterm
            Function
                Hint:                            606
                Name:                            free
            Function
                Hint:                            704
                Name:                            strncmp

In order to make the blog post more readable, I’ll summarize the findings and list only the interesting functions.

  • Lab01–01.exe imports functions from KERNEL32.dll and MSVCRT.dll
  • Lab01–01.dll imports functions from KERNEL32.dll, MSVCRT.dll, and WS2_32.dll

KERNEL32.dll contains important functionalities (like access and edit memory and files), thus is a common DLL to import. It is interesting to note the presence of FindFirstFileA and FindNextFileA in Lab01–01.exe, and CreateProcessA in Lab01–01.dll.

WS2_32.dll is used for network functionalities, but in this case is imported by ordinals, thus we don’t have many additional information.

  1. Are there any other files or host-based indicators that you could look for on infected systems?

Using strings on Lab01-01.exe file, we can see some interesting findings, such as:

  • kerne132.dll
  • kernel32.dll
  • C:\windows\system32\kerne132.dll
  • Kernel32.
  • Lab01-01.dll
  • C:\Windows\System32\Kernel32.dll
  • WARNING_THIS_WILL_DESTROY_YOUR_MACHINE (my favorite)

In particular, we can assume the existence of the file named kerne132.dll (with a 1 instead of an l) for infected machines.

  1. What network-based indicators could be used to find this malware on infected machines?

Using strings on Lab01-01.dll, we can see an IP address: 127.26.152.13.

  1. What would you guess is the purpose of these files?

Other interesting results running strings are: exec, hello, CreateProcess and sleep; which are names of functions. Based on the findings provided, we can say that these two files may be used to create a backdoor.

Lab 1-2

  1. Upload the Lab01-02.exe file to VirusTotal. Does it match any existing antivirus definitions?

The file is considered malicious by 55 engines, here is the report.

  1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Detect It Easy finds that UPX has been used in this case:

$ diec Lab01-02.exe
PE: packer: UPX(3.04)[NRV,best]
PE: compiler: Microsoft Visual C/C++(6.0)[-]
PE: linker: Microsoft Linker(6.0)[EXE32,console]

We can then proceed to unpack the file with the following command:

$ upx -d -o Lab01-02_unpacked.exe Lab01-02.exe

                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX git-d7ba31+ Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     16384 <-      3072   18.75%    win32/pe     Lab01-02_unpacked.exe

Unpacked 1 file.
  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

As shown in the previous exercise, we can use readpe -i to check the imported functions. Here are the interesting findings:

  • KERNEL32.DLL: SystemTimeToFileTime, GetModuleFileNameA, CreateMutexA, CreateThread and SetWaitableTimer
  • ADVAPI32.DLL: CreateServiceA, StartServiceCtrlDispatcherA and OpenSCManagerA
  • WININET.DLL: InternetOpenUrlA and InternetOpenA

In particular, the last DLL file suggests that the file is communicating over the Internet.

  1. What host or network-based indicators could be used to identify this malware on infected machines?

Again, strings is our friend: MalService, Malservice, HGL345,http://www.malwareanalysisbook.com and Internet Explorer 8.0. These results are suggesting that the file is creating a service (probably MalService?) and connecting to the URL.

Lab 1-3

  1. Upload the Lab01-03.exe file to VirusTotal. Does it match any existing antivirus definitions?

Lab01-03.exe is detected as malicious by 64 engines, here is the report.

  1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Scanning the file with diec shows that it is packed with FSG 1.0:

$ diec Lab01-03.exe
PE: packer: FSG(1.0)[-]
PE: linker: unknown(0.0)[EXE32,console]

Unfortunately it is not possible (AFAIK) to unpack it with upx, thus I cannot proceed:

$ upx -d Lab01-03.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX git-d7ba31+ Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: Lab01-03.exe: NotPackedException: not packed by UPX

Unpacked 0 files.
  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Being still packed, we have limited visibility on Lab01–03.exe. We can only see that it imports KERNEL32.DLL and uses the following functions: LoadLibraryA and GetProcAddress.

$ readpe -i Lab01-03.exe
Imported functions
    Library
        Name:                            KERNEL32.dll
        Functions
            Function
                Hint:                            0
                Name:                            LoadLibraryA
            Function
                Hint:                            0
                Name:                            GetProcAddress
  1. What host or network-based indicators could be used to identify this malware on infected machines?

In this case, strings does not help us a lot, because the file is packed. Again we see LoadLibraryA and GetProcAddress. Some of the other strings seems to refer to OLE.

Lab 1-4

  1. Upload the Lab01-04.exe file to VirusTotal. Does it match any existing antivirus definitions?

The file is detected as malicious by 61 engines, here is the report.

  1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

The file does not seem to be packed:

$ diec Lab01-04.exe
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0*)[EXE32]
  1. When was this program compiled?

The time stamp reported seems suspicious 🤔, considering that the book was published in 2012:

$ readpe Lab01-04.exe | grep "time stamp"
    Date/time stamp:                 1567204019 (Fri, 30 Aug 2019 22:26:59 UTC)

It was probably modified, thus it’s not clear when the file was actually compiled.

  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Here are the imports found with readpe -i:

  • ADVAPI32.dll: AdjustTokenPrivileges, LookupPrivilegeValueA and OpenProcessToken.
  • KERNEL32.dll: CreateRemoteThread, MoveFileA, SizeofResource, LoadResource, GetModuleHandleA, OpenProcess, GetWindowsDirectoryA, WriteFile, GetCurrentProcess, CreateFileA, GetProcAddress, FindResourceA, LoadLibraryA and WinExec.

Considering the functions used, we can say that the program will try to access protected files (SizeOfResource, FindResource, LoadResource, LookupPrivilegeValueA and AdjustTokenPrivilages) and create and execute files (CreateFile, WriteFile and WinExec).

  1. What host or network-based indicators could be used to identify this malware on infected machines?

Here are the host and network-based indicators that can be found using strings:

  • host-based: C:\WINDOWS\system32\wupdmgrd.exe and winup.exe
  • network-based: http://www.practicalmalwareanalysis.com/updater.exe
  1. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

We can list and extract the resources from a Windows binary using wrestool:

$ wrestool -l Lab01-04.exe
--type='BIN' --name=101 --language=1033 [offset=0x4060 size=16384]
$ wrestool -x --raw --output=Lab01-04.bin Lab01-04.exe
$ diec Lab01-04.bin
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]
PE: linker: Microsoft Linker(6.0)[EXE32]
  • Compiled on 1298765819 (Sun, 27 Feb 2011 00:16:59 UTC).
  • Imports: KERNEl32.dll (WinExec) and urlmon.dll (URLDownloadToFileA)
  • Interesting strings: \system32\wupdmgr.exe, winup.exe and www.malwareanalysisbok.com/updater.exe

Considering the information obtained, we can assume that the Lab01-04.exe file will be used to change permissions to write in a directory and drop and execute the hidden resource, which contacts the network to download and run additional malware.