0xF444's blog

Lab 7

4 min read

Lab 7-1

Description

Analyze the malware found in the file Lab07-01.exe.

Questions

  1. How does this program ensure that it continues running (achieves persistence) when the computer is restarted?
  2. Why does this program use a mutex?
  3. What is a good host-based signature to use for detecting this program?
  4. What is a good network-based signature for detecting this malware?
  5. What is the purpose of this program?
  6. When will this program finish executing?

Solution

  1. Using autoruns, we notice that the malware uses a service that runs at startup named Malservice that has the key Start with value 0x02, which is shown using sc, autoruns and process hacker.
  2. The malware uses a mutex object named HGL345, presumably to make sure that there’s only one instance of the malware running.
  3. The service that the malware uses for persistence Malservice, the mutex object’s name HGL345 can serve as host-based indicators.
  4. The malware contacts www.malwareanalysisbook.com as shown in the strings and using ApateDNS, and also the user agent that the malware uses Internet Explorer 8.0.

    5. It seems that the malware checks if the computers infected have reached the date 2100/1/1 at midnight, then the malware attempts to create 20 threads that all of which execute StartAddress that endlessly sends requests to www.malwareanalysisbook.com, so we may assume that this malware causes a DDoS.
  5. Since each thread runs endlessly without an end condition, with the addition to the sleep(-1) at the end.

Lab 7-2

Description

Analyze the malware found in the file Lab07-02.exe.
Questions

  1. How does this program achieve persistence?
  2. What is the purpose of this program?
  3. When will this program finish executing?
  1. This program does not achieve persistence, it just opens an Internet Explorer instance with the address www.malwareanalysisbook.com/ad.html and ends prematurely.
  2. The purpose of this program is just to display an ad.
  3. The program finishes executing as soon as it finishes launching IE with the address specified above.

Lab 7-3

Description

For this lab, we obtained the malicious executable, Lab07-03.exe, and DLL, Lab07-03.dll, prior to executing. This is important to note because the malware might change once it runs. Both files were found in the same directory on the victim machine. If you run the program, you should ensure that both files are in the same directory on the analysis machine. A visible IP string beginning with 127 (a loopback address) connects to the local machine. (In the real version of this malware, this address connects to a remote machine, but we’ve set it to connect to localhost to protect you.)
WARNING: This lab may cause considerable damage to your computer and may be difficult to remove once installed. Do not run this file without a virtual machine with a snapshot taken prior to execution. This lab may be a bit more challenging than previous ones. You’ll need to use a combination of static and dynamic methods, and focus on the big picture in order to avoid getting bogged down by the details.
Questions

  1. How does this program achieve persistence to ensure that it continues running when the computer is restarted?
  2. What are two good host-based signatures for this malware?
  3. What is the purpose of this program?
  4. How could you remove this malware once it is installed?

  1. The malware sample modified files by loading them into memory, does it’s modifications and then rewrites it back to disk, then it attempts to copy the malicious DLL Lab07-03.dll into an impostor kerne132.dll with all of it’s imports and (with the addition of the malicious code)

    If we look at the malicious version, we see that it imports the original kernel32.dll and WS2_32.dll, we also notice that it doesn’t have Microsoft’s signature.

    This sample attempts to enumerate the entirety of the C:\ directory and looks for all .exe files and makes it import this newly malicious imposter kerne132.dll

    This means that this sample is a file infector, which means that every time an executable in this system is launched, it launches the malicious DLL along with it, which is a form of persistence.

  2. We have found two host based signatures: SADFHUHF as a mutex object used by the DLL and the kerne132.dll file itself.

  3. The purpose of this program can be subdivided into two things: the exe is used to “infect” all EXEs within the system to import the malicious payload that is contained within the DLL. The DLL itself contains functions that are related with networking and parses commands received from the C2 server and creates a new process to execute that command.

  4. This malware is difficult to remove, because it modifies the IAT of the exes within the system and such removal is difficult. So it is best to resort to backups.

Next Lab: Lab 9
Previous Lab: Lab 6

Graph View