# Practical malware analysis: solutions for Lab 1

I am trying to acquire some knowledge on malware analysis by using ‘Practical Malware Analysis’ (by Sikorski, Michael, and Andrew Honig, 2012). I will publish my solutions of the exercises as soon as I complete them; here you can find all the executables for the labs.

NOTE: I will try to use Linux utilities (such as pev, wrestool and Detect It Easy) instead of the Windows tools which are mentioned in the book.

The first chapter was about basic static analysis techniques, you can find some notes about it in this repo.

## Lab 1-1

1. Upload the files to VirusTotal and view the reports. Does either file match any existing antivirus signatures?

Uploading the files on VirusTotal, the results are that Lab01-01.dll is flagged as malicious by 34 engines, and Lab01-01.exe by 41. Here are links to the reports for Lab01-01.dll and Lab01-01.exe.

1. When were these files compiled?

I used pev to detect the timestamp of the compilation:

$readpe Lab01-01.dll | grep "time stamp" Date/time stamp: 1292775398 (Sun, 19 Dec 2010 16:16:38 UTC)$ readpe Lab01-01.exe | grep "time stamp"
Date/time stamp:                 1292775379 (Sun, 19 Dec 2010 16:16:19 UTC)

1. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

The output of strings on both the files does not include LoadLibrary or GetProcAddress. We can have confirmation that these are not packed by using Detect It Easy:

$diec Lab01-01.dll PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt] PE: linker: Microsoft Linker(6.0)[DLL32]$ diec Lab01-01.exe
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]


If the given file is packed, the diec command would list the packer used in the output.

1. Do any imports hint at what this malware does? If so, which imports are they?

pev allows us to check the imported functions by using the -i flag, for instance:

$readpe -i Lab01-01.dll Imported functions Library Name: KERNEL32.dll Functions Function Hint: 662 Name: Sleep Function Hint: 68 Name: CreateProcessA Function Hint: 63 Name: CreateMutexA Function Hint: 493 Name: OpenMutexA Function Hint: 27 Name: CloseHandle Library Name: WS2_32.dll Functions Function Ordinal: 23 Function Ordinal: 115 Function Ordinal: 11 Function Ordinal: 4 Function Ordinal: 19 Function Ordinal: 22 Function Ordinal: 16 Function Ordinal: 3 Function Ordinal: 116 Function Ordinal: 9 Library Name: MSVCRT.dll Functions Function Hint: 157 Name: _adjust_fdiv Function Hint: 657 Name: malloc Function Hint: 271 Name: _initterm Function Hint: 606 Name: free Function Hint: 704 Name: strncmp  In order to make the blog post more readable, I’ll summarize the findings and list only the interesting functions. • Lab01–01.exe imports functions from KERNEL32.dll and MSVCRT.dll • Lab01–01.dll imports functions from KERNEL32.dll, MSVCRT.dll, and WS2_32.dll KERNEL32.dll contains important functionalities (like access and edit memory and files), thus is a common DLL to import. It is interesting to note the presence of FindFirstFileA and FindNextFileA in Lab01–01.exe, and CreateProcessA in Lab01–01.dll. WS2_32.dll is used for network functionalities, but in this case is imported by ordinals, thus we don’t have many additional information. 1. Are there any other files or host-based indicators that you could look for on infected systems? Using strings on Lab01-01.exe file, we can see some interesting findings, such as: • kerne132.dll • kernel32.dll • C:\windows\system32\kerne132.dll • Kernel32. • Lab01-01.dll • C:\Windows\System32\Kernel32.dll • WARNING_THIS_WILL_DESTROY_YOUR_MACHINE (my favorite) In particular, we can assume the existence of the file named kerne132.dll (with a 1 instead of an l) for infected machines. 1. What network-based indicators could be used to find this malware on infected machines? Using strings on Lab01-01.dll, we can see an IP address: 127.26.152.13. 1. What would you guess is the purpose of these files? Other interesting results running strings are: exec, hello, CreateProcess and sleep; which are names of functions. Based on the findings provided, we can say that these two files may be used to create a backdoor. ## Lab 1-2 1. Upload the Lab01-02.exe file to VirusTotal. Does it match any existing antivirus definitions? The file is considered malicious by 55 engines, here is the report. 1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. Detect It Easy finds that UPX has been used in this case: $ diec Lab01-02.exe
PE: packer: UPX(3.04)[NRV,best]
PE: compiler: Microsoft Visual C/C++(6.0)[-]


We can then proceed to unpack the file with the following command:

$upx -d -o Lab01-02_unpacked.exe Lab01-02.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX git-d7ba31+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name -------------------- ------ ----------- ----------- 16384 <- 3072 18.75% win32/pe Lab01-02_unpacked.exe Unpacked 1 file.  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you? As shown in the previous exercise, we can use readpe -i to check the imported functions. Here are the interesting findings: • KERNEL32.DLL: SystemTimeToFileTime, GetModuleFileNameA, CreateMutexA, CreateThread and SetWaitableTimer • ADVAPI32.DLL: CreateServiceA, StartServiceCtrlDispatcherA and OpenSCManagerA • WININET.DLL: InternetOpenUrlA and InternetOpenA In particular, the last DLL file suggests that the file is communicating over the Internet. 1. What host or network-based indicators could be used to identify this malware on infected machines? Again, strings is our friend: MalService, Malservice, HGL345,http://www.malwareanalysisbook.com and Internet Explorer 8.0. These results are suggesting that the file is creating a service (probably MalService?) and connecting to the URL. ## Lab 1-3 1. Upload the Lab01-03.exe file to VirusTotal. Does it match any existing antivirus definitions? Lab01-03.exe is detected as malicious by 64 engines, here is the report. 1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. Scanning the file with diec shows that it is packed with FSG 1.0: $ diec Lab01-03.exe
PE: packer: FSG(1.0)[-]


Unfortunately it is not possible (AFAIK) to unpack it with upx, thus I cannot proceed:

$upx -d Lab01-03.exe Ultimate Packer for eXecutables Copyright (C) 1996 - 2020 UPX git-d7ba31+ Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020 File size Ratio Format Name -------------------- ------ ----------- ----------- upx: Lab01-03.exe: NotPackedException: not packed by UPX Unpacked 0 files.  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you? Being still packed, we have limited visibility on Lab01–03.exe. We can only see that it imports KERNEL32.DLL and uses the following functions: LoadLibraryA and GetProcAddress. $ readpe -i Lab01-03.exe
Imported functions
Library
Name:                            KERNEL32.dll
Functions
Function
Hint:                            0
Function
Hint:                            0

1. What host or network-based indicators could be used to identify this malware on infected machines?

In this case, strings does not help us a lot, because the file is packed. Again we see LoadLibraryA and GetProcAddress. Some of the other strings seems to refer to OLE.

## Lab 1-4

1. Upload the Lab01-04.exe file to VirusTotal. Does it match any existing antivirus definitions?

The file is detected as malicious by 61 engines, here is the report.

1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

The file does not seem to be packed:

$diec Lab01-04.exe PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt] PE: linker: Microsoft Linker(6.0*)[EXE32]  1. When was this program compiled? The time stamp reported seems suspicious 🤔, considering that the book was published in 2012: $ readpe Lab01-04.exe | grep "time stamp"
Date/time stamp:                 1567204019 (Fri, 30 Aug 2019 22:26:59 UTC)


It was probably modified, thus it’s not clear when the file was actually compiled.

1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Here are the imports found with readpe -i:

• ADVAPI32.dll: AdjustTokenPrivileges, LookupPrivilegeValueA and OpenProcessToken.
• KERNEL32.dll: CreateRemoteThread, MoveFileA, SizeofResource, LoadResource, GetModuleHandleA, OpenProcess, GetWindowsDirectoryA, WriteFile, GetCurrentProcess,  CreateFileA, GetProcAddress, FindResourceA, LoadLibraryA and WinExec.

Considering the functions used, we can say that the program will try to access protected files (SizeOfResource, FindResource, LoadResource, LookupPrivilegeValueA and AdjustTokenPrivilages) and create and execute files (CreateFile, WriteFile and WinExec).

1. What host or network-based indicators could be used to identify this malware on infected machines?

Here are the host and network-based indicators that can be found using strings:

• host-based: C:\WINDOWS\system32\wupdmgrd.exe and winup.exe
• network-based: http://www.practicalmalwareanalysis.com/updater.exe
1. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

We can list and extract the resources from a Windows binary using wrestool:

$wrestool -l Lab01-04.exe --type='BIN' --name=101 --language=1033 [offset=0x4060 size=16384]$ wrestool -x --raw --output=Lab01-04.bin Lab01-04.exe

\$ diec Lab01-04.bin
PE: compiler: Microsoft Visual C/C++(6.0)[msvcrt]

• Compiled on 1298765819 (Sun, 27 Feb 2011 00:16:59 UTC).
• Imports: KERNEl32.dll (WinExec) and urlmon.dll (URLDownloadToFileA)
• Interesting strings: \system32\wupdmgr.exe, winup.exe and www.malwareanalysisbok.com/updater.exe