Practical Malware Analysis: Chapter 1 Labs

To potentially help future readers, and more importantly to discourage laziness on my part. I will be documenting my answers to all exercises in the Practical Malware Analysis book in this series of blog posts. Today we will get started with all of the labs in Chapter 1.

Lab 1-1

Question 1:

Upload the files to http:// www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

Both files match. No surprise there.

Not one surprised face in the crowd

Question 2:

When were these files compiled?

The dll was created on 2010/12/19 Sun 16:16:38 UTC
The exe was created on 2010/12/19 Sun 16:16:19 UTC

Question 3:

Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

Both of the files have very few imports, indicating potential packing? However the section sizes look like they are probably normal and no crazy “unpack and load an exe in memory” imports exist in the exe.

Imports of lab1-1.dll (left) and lab1-1.exe (right)

Question 4:

Do any imports hint at what this malware does? If so, which imports are they?

The .exe’s imports are all to do with file manipulation.
The specific interesting imports to me are:
– CreateFileA
– CopyFileA
– FindNextFileA

The .dlls imports are to do with process manipulation and networking.
The interesting imports to me are:
– CreateProcessA
– Sleep (av evasion?)
– The entire ws2_32.dll

Question 5:

Are there any other files or host-based indicators that you could look for on infected systems?

I can’t find much indicating host based artifacts. Except for a string of the .exe which we know has a lot of file imports. The .exe has multiple strings reference Kerne132.dll with its full path. I think the .exe may create a fake kernel32 lookalike

Strings reference to kernel32.dll in lab1-1.exe

Question 6:

What network-based indicators could be used to find this malware on infected machines?

The dll file contains a reference to an IP address that can be found with a strings search. At this point I have no idea what is being sent there, if anything. Or the port being used. However a search for connections to that IP would be a good start to finding more infections.

Only the best red circles are accepted at Zeroaptitude.com

Question 7:

What would you guess is the purpose of these files?

I would guess that first the exe is executed. The exe probably then finds the .dll and copies it next to the original kernel32.dll in system32 but as kerne132.dll.
I dont know how the dll is launched, but when it is, it executes a sleep to evade AV followed by executing some kind of connection to 127-26-152-13. So its meant to be some kind of persistent hidden backdoor I’d say.

Lab 1-2

Question 1:

Upload the lab01-02.exe file to virustotal. Does it match any existing antivirus definitions?

Once again, of course it does. PMA is old enough now that this has been uploaded a whole bunch. I won’t bother uploading the image of it flagging tons of AV.

Question 2:

Are there any indications that the file is packed or obfuscated? If so, what are these indicators? if the file is packed, unpack it if possible.

Lots of indicators that this bad boy is packed. The imports are faiiirly limited and are all about GetProcAddress and LoadLibraryA goodness.
The size on disk is 0 bytes but 4000 bytes virtually. The section names are literally called UPX, so i’m going to go ahead and guess this is packed with UPX.

Lets try unpacking it.

Unpacking Lab01-02.exe with UPX

And we have the unpacked, much better looking executable

Proper section names and much more and varied imports. Looking good.

Question 3:

Do any imports hint at this programs functionality? If so, which imports are they and what do they tell you?

Interesting imports in Kernel32.dll
SystemTimeToFileTime < uses the system time for something
CreateWaitableTimerA < Creates a timer to test something
CreateThread < Starts a thread for something

Interesting imports in AdvApi32.dll
CreateServiceA < It creates a service

Interesting imports in WININET.dll
InternetOpenURLA < we go to a url for something

Question 4:

What host or network-based indicators could be used to identify this malware on infected machines?

Looks like there are two indicators, one host and one network. The host based indicator is a new service called MalService. The network based indicator is a connection to http://www.malwareanalysisbook.com.

Lab 1-3

Question 1:

Upload the Lab01-03.exe file to virustotal. Does it match any existing antivirus definitions?

Again, of course it matches. PMA is old enough now that this has been uploaded a bunch.

Question 2:

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible

The sections are named weird, the first (blank named) section has a raw size of 0 but a virtual size of 3000 and only 2 imports exist. GetprocAddress and LoadLibrary. This thing is packed.

Definitely packed

Technically we can’t unpack this yet, as the book has only taught us to unpack UPX packed binaries. Buuuuut googling how to unpack FSG packed binaries seems like a good exercise, so I did just that.

Unpacked

Question 3:

Do any imports hint at this programs functionality? If so, which imports are they and what do they tell you?

I’ll examine the unpacked version for this question, since the packed version only has two imports which exist for unpacking.
The only interesting looking import library is ole32.dll
Which is importing the ability to initalize the COM library, giving access to functions such as Clipboard, dragon and Drop and Object linking.
I suppose this might be doing the same thing as all of those malicious excel/word docs kicking around the internet.

Question 4:

What host or network based indicators could be used to identify this malware on infected machines?

A strings of the unpacked binary finds a strings referring to http://www[.]malwareanalysisbook[.]com/ad.html
This seems to be the only good indicator to look for.

Lab 1-4

Question 1:

Upload Lab01-04.exe to VirusTotal. Does it match any existing definitions?

Again, of course it does.

Question 2:

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? if the file is packed, unpack it if possible.

There are numerous indications that this is not a packed file.
– Numerous imports
– Sane looking Virtual Sizes
– Properly named sections
– Strings referring to files and URLs

Lots of indicators pointing to an unpacked binary.

Question 3:

When was this program compiled?

The program was compiled on 30/08/2019. Which I suppose was meant to be incredibly far in the future. I guess the year 2119 would have held up with age a bit better.

I suppose this was meant to WAYY IN THE FUUUUTTUUURREE

Question 4:

Do any imports hint at this programs functionality? If so, which imports are they and what do they tell you?

There are lots of interesting imports in kernel32 this time:
– Load/FindResource < Sounds like we might pull something from the resource section of the binary
– WriteFile/CreateFile < And then write it to a file
– GetTempPath < In the temp directory
– MoveFile < Then maybe move it?
– WinExec < Then run it

Lots and lots of juicy file, process and resource imports

Question 5:

What host or network based indicators could be used to identify this malware on infected machines?

A few indicators here:
– Winup.exe,
– wupdmgrd.exe in system32,
– and a connection to practicalmalwareanalysis.com to download updater.exe

Question 6:

This file has one resource in the resources section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

So it’s apparent straight away that the resource is a PE file. It has the MZ magic number, the PE signature and the “program cannot be run in DOS mode” string. To dump it I just right clicked the resource and saved to a BIN file.

The extracted BIN file can then be loaded up in PE-Bear to reveal that it is indeed a PE file. There are standard PE file sections, dodgy looking imports and suspicious strings.
It looks like this resource PE downloads the Updater.exe file from the internet, saves to temp and then runs it.

And that’s it for chapter 1!
In the next post I’ll cover all of the lab questions for chapter 3 (chapter 2 has none).

Leave a Reply

Your email address will not be published. Required fields are marked *