0xF444's blog

Lab 6

4 min read

Lab 6-1

Description

In this lab, you will analyze the malware found in the file Lab06-01.exe.

Questions

  1. What is the major code construct found in the only subroutine called by main?
  2. What is the subroutine located at 0x40105F?
  3. What is the purpose of this program?
  1. We find ourselves a common code construct that is an if statement.
  2. If we look at the parameters passed to sub_40105F, we see that a string literal is passed, which could indicate that this is a printing function.
  3. The purpose of this program is that it attempts to check whether or not the machine has an active internet connection or not.

Lab 6-2

Description

Analyze the malware found in the file Lab06-02.exe.

Questions

  1. What operation does the first subroutine called by main perform?
  2. What is the subroutine located at 0x40117F?
  3. What does the second subroutine called by main do?
  4. What type of code construct is used in this subroutine?
  5. Are there any network-based indicators for this program?
  6. What is the purpose of this malware?
  1. Same as the first lab in this chapter, it checks whether the machine has an active internet connection.
  2. Same as the first lab in this chapter, we see a string literal passed to it, which means it could be a printing function.
  3. The second subroutine sub_401040 attempts to connect with the website www.practicalmalwareanalysis.com and requests cc.htm using Internet Explorer 7.5/pma user agent.

    It tries to read 512 bytes from the URL to a buffer and then checks the first four characters if it matches the following pattern: <!--

    It it succeeds, then it moves the next character to al and it serves as the return value for our subroutine.
    So it basically grabs the command from the website and does a little checking and returns it in AL.
    4. The type of code construct used in this subroutine is an if...else code construct.
    5. Yes, there’s one: www.practicalmalwareanalysis.com/cc.htm.
    6. The purpose of this malware is that it attempts to seek out the forementioned website, downloads the HTM file, retrieves a command and parses it in a specific format and then prints out the command to the user and then finally waits for a whole minute before terminating.

Lab 6-3

Description

In this lab, we’ll analyze the malware found in the file Lab06-03.exe.

Questions

  1. Compare the calls in main to Lab 6-2’s main method. What is the new function called from main?
  2. What parameters does this new function take?
  3. What major code construct does this function contain?
  4. What can this function do?
  5. Are there any host-based indicators for this malware?
  6. What is the purpose of this malware?

  1. We notice a new function called after the command has been successfully parsed.

  2. As illustrated above, it takes a filename and the command.

  3. This function contains a switch statement construct.

    If you look closely

    IDA recognizes this as a switch statement as it leaves out repeatable comments.

  4. The program takes the command and modifies it so that it fits an offset for the jump table and then it does actions based on the command given:

    1. Case a: Create a directory C:\temp.
    2. Case b: Copy the malware’s name into C:\temp with a new name cc.exe.
    3. Case c: Delete the file C:\temp\cc.exe.
    4. Case d: Adds the malware to startup with the key named Malware and has the value cc.exe in the registry, if it is first copied into C:\temp
    5. Case e: Sleeps for 100 seconds.
    6. Default Case: Prints out an error the command is not valid.
      So this function basically does the action based on the given command.

  5. Yes: C:\Temp\cc.exe and also the registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Malware.

  6. The purpose of this malware is that it takes a command from the website, parses it and then does an action based on the command given.

Lab 6-4

  1. There’s no difference except the fact that the malware does the command action based off a loop that occurs for 1440 iterations.
  2. The new code construct found in main is the for loop construct.
  3. The malware attempts to send off a different user agent where it prefixes the user agent with the iteration number (number of minutes).
  4. This program will run for 24 hours.
  5. Yes, there are roughly new 1440 network based indicators where each time the malware contacts www.practicalmalwareanalysis.com, it’ll send the iteration number (number of minutes) in the user agent.
  6. The purpose of this malware is the same as Lab 6-3, but the only difference is that it does that for 24 hours.

Next Lab: Lab 7
Previous Lab: Lab 5

Graph View