0xF444's blog

Lab 5

5 min read

Description

Analyze the malware found in the file Lab05-01.dll using only IDA Pro.
The goal of this lab is to give you hands-on experience with IDA Pro. If you’ve already worked with IDA Pro, you may choose to ignore these questions and focus on reverse-engineering the malware.

Questions

  1. What is the address of DllMain?
  2. Use the Imports window to browse to gethostbyname. Where is the import located?
  3. How many functions call gethostbyname?
  4. Focusing on the call to gethostbyname located at 0x10001757, can you figure out which DNS request will be made?
  5. How many local variables has IDA Pro recognized for the subroutine at 0x10001656?
  6. How many parameters has IDA Pro recognized for the subroutine at 0x10001656?
  7. Use the Strings window to locate the string \cmd.exe /c in the disassembly. Where is it located?
  8. What is happening in the area of code that references \cmd.exe /c?
  9. In the same area, at 0x100101C8, it looks like dword_1008E5C4 is a global variable that helps decide which path to take. How does the malware set dword_1008E5C4? (Hint: Use dword_1008E5C4’s cross-references.)
  10. A few hundred lines into the subroutine at 0x1000FF58, a series of comparisons use memcmp to compare strings. What happens if the string comparison to robotwork is successful (when memcmp returns 0)?
  11. What does the export PSLIST do?
  12. Use the graph mode to graph the cross-references from sub_10004E79. Which API functions could be called by entering this function? Based on the API functions alone, what could you rename this function?
  13. How many Windows API functions does DllMain call directly? How many at a depth of 2?
  14. At 0x10001358, there is a call to Sleep (an API function that takes one parameter containing the number of milliseconds to sleep). Looking backward through the code, how long will the program sleep if this code executes?
  15. At 0x10001701 is a call to socket. What are the three parameters? 108 Chapter 5
  16. Using the MSDN page for socket and the named symbolic constants functionality in IDA Pro, can you make the parameters more meaningful? What are the parameters after you apply changes?
  17. Search for usage of the in instruction (opcode 0xED). This instruction is used with a magic string VMXh to perform VMware detection. Is that in use in this malware? Using the cross-references to the function that executes the in instruction, is there further evidence of VMware detection?
  18. Jump your cursor to 0x1001D988. What do you find?
  19. If you have the IDA Python plug-in installed (included with the commercial version of IDA Pro), run Lab05-01.py, an IDA Pro Python script provided with the malware for this book. (Make sure the cursor is at 0x1001D988.) What happens after you run the script?
  20. With the cursor in the same location, how do you turn this data into a single ASCII string?
  21. Open the script with a text editor. How does it work?
  1. DllMain is located at 0x1000d02e.
  2. gethostbyname is located at 0x100163cc.
  3. 5 functions call gethostbyname using the xref to graph.
  4. The URL called is pics.praticalmalwareanalysis.com
  5. For the subroutine at 0x10001656, it has 23 variables.
  6. For the subroutine at 0x10001656, we only have 1 parameter.
  7. It is located in the xdoors_d section at address 0x10095b34.
  8. This area of code appears to be interacting with sockets, sending and receiving data, which means it could be a reverse shell.
  9. The malware sets this global variable based off the OS’s version using GetVersionExA(), this function attempts to check if the OS is an NT based OS, and from there figures out which command interpreter to be used: command.exe (for Win 9x) or cmd.exe for Windows NT based OSes.
  10. We send both the keys located SOFTWARE\Microsoft\Windows\CurrentVersion named WorkTimes and WorkTime through the reverse shell.
  11. As the name stands, this export attempts to list out all the processes within the OS, may it be an NT based OS or not, it uses process snapshots and traverses through them to find the given process, then sends them over the network.
  12. These many functions can be called when this function is called:

    We can see that this function attempts to send the default language of the system throughout the network.
  13. We have strncpy, strlen, CreateThread,_strnicmp at a depth of 1, at depth 2, we have a variety of function calls that are related to networking, such as socket,recv, etc…
  14. The program will sleep for 30 seconds exactly.
  15. The parameters were 6,1 and 2 respectively.

  16. We used standard symbolic constants in order to view the constants this way.
  17. Yes, the malware does use this:

    This seems to be the only occurrence of the in instruction, but the function that uses this instruction is called by InstallRT,InstallSA and InstallSB.

  18. We see random data.
  19. We can see that this random data has been transformed to:
    xdoor is this backdoor, string decoded for Practical Malware Analysis Lab :) 1234.
  20. We transform it into a string by clicking A, which transforms it from bytes to ASCII string.
  21. It works by first grabbing the cursor’s location, then it iterates 0x50 times where: we obtain each byte, XOR it with 0x55 and patch each iteration with the newly XOR’d value.

Next Lab: Lab 6
Previous Lab: Lab 3

Graph View