In this category of posts, I’ll be detailing how I go about answering the end-of-chapter lab questions. There ARE going to be spoilers in the lab towards the end of the post (but I will clearly mark where the spoilers begin).
I’ll also answer the following general questions in an attempt to keep the big picture of the assignments in mind:
- Considering malware analysis as a whole, how important is it to a general aspiring analyst to complete this chapter’s exercises?
- What did doing the lab exercises teach that was not gained from reading the chapter?
Lab Summary questions
-
Considering malware analysis as a whole, how important is it to a general aspiring analyst to complete this chapter’s exercises?
Super important! Static analysis is one of those things that seems easy and straightforward, but ends up being trickier to conduct than expected (for me, at least), due to the fact that I find myself questioning if the information I find is legit or planted.
-
What did doing the lab exercises teach that was not gained from reading the chapter?
- Look very carefully at the strings of the file– specifically at the names of .dll assets/images/posts!
- Modification time and compilation time are definitely not the same thing. Compilation time can be found by putting the file into PEView and going to IMAGE_NT_HEADERS -> IMAGE_FILE_HEADER -> Time Date Stamp.
- Virtual vs. raw sizes, identifiable using PEiD (at least for 32 bit exes) can be an indicator of packing. Per this post:
- Raw size: exactly the size of the section’s data in the file
- Virtual size: The size of the section in memory So it makes sense that, if the section is larger in memory, something is unpacking into that section. Usually, the virtual size is smaller than the raw size.
- It seems evident now, but LoadResource, FindResource, and SizeOfResource functions imply the existence of something that ResourceHacker can help extract. As such, look around with ResourceHacker if you see these functions in the import list.
Challenges Encountered in the labs
- I wasn’t sure how to find the compilation time and wasn’t sure of if the modification time sufficed. The answer to this was made clear after checking the answers in the back of the book.
Lab Walkthrough (includes answers!)
1.1
-
Upload to VT. Does the file match any existing antivirus signatures?
Indeed!
-
When were these assets/images/posts compiled?
Not positive on how to find the exact date using a tool, but just viewing file properties and looking at the “last modified” entry gives the right answer for the .exe. Alternatively, this info is also provided by CFFExplorer.
After reading answers: see question 2 of the above section
-
Are there any indicators that these assets/images/posts are packed or obfuscated? If so, what are the indicators?
I argue no:
- The .exe and .dll disassemble successfully in IDA Demo
- There are several imports identifiable by CFFExplorer which would otherwise be obfuscated
-
Do the imports hint at what the malware does?
- Lab1.dll:
- CreateProcess indicates it runs something.
- from the book: WS2_32.dll provides network functions. So perhaps it’s exfiltrating stuff-n-things
- Lab1.exe:
- CreateFileA/FindFileA: maybe it’s creating a log file, or checking for its own existence, or searching for specific assets/images/posts on a system (like SAM assets/images/posts)
- Lab1.dll:
-
Any other host-based indicators?
Running strings shows that the .exe has hard-coded within it “WARNING_THIS_WILL_DESTROY_YOUR_MACHINE” which can be easily grepped for.
-
What network-based indicators could be used to find this malware on infected machines?
Running strings on the .dll yields an IP address: 127.26.152.13. So look for traffic going to that IP address
-
Guess as to the purpose of the assets/images/posts:
Search for certain assets/images/posts (and/or create them) and exfil them to an external site. My guess is it’s a keylogger or it’s seeking password assets/images/posts or something of the like.
After reading the book:
- Ahh, the .exe has a string “kerne132.dll”… ‘1’… didn’t notice that at first. Perfect host-based indicator.
1.2
-
Existing antivirus definitions?
Absolutely: 43/66 say it’s malicious.
-
Obfuscation signs?
At a glance– some imports are clearly visible and are more in quantity than for typical packed malware.
However, Ida claims the imports section was destroyed. I trust Ida more than CFFExplorer since Ida costs like $2000.
Looking at strings from within Ida indicates a section called UPX1. UPX is a packer. Obfuscated it is!
-
Do imports provide any juicy knowledge?
- GetProcAddressA and VirtualAlloc suggest this might be doing process injection.
- CreateService suggests the malware establishes persistence.
- InternetOpenA suggests the program talks out somewhere.
-
Indicators!
First, I unpacked the file using CFFExplorer and then put it back into Ida to discover, with Ida’s strings utility:
- Host-based: strings shows “MalService” in our presence, and that string is passed as a parameter to CreateService:
This would be a great indicator (albeit not reflective of what real malware might actually do (probably)). Further, there is a strange string “HGL345” used as a parameter to CreateMutex, which suggests if a mutex named HGL345 is on the system, we know this malware probably ran. 
- Network-based: strings yet again comes in clutch to show the presence of “http://malwareanalysisbook.com”.
- Host-based: strings shows “MalService” in our presence, and that string is passed as a parameter to CreateService:
After reading the book:
- PEiD can be used to identify virtual vs. raw sizes of sections in memory. Therefore, a raw size of 0 but a virtual size of >0 is strong evidence of shenanigans.
1.3
-
VirusTotal it up.
55/66 claim EVIL (at this point, duh). Also, they say it’s packed.
-
Obfuscations?
- For starters, VT claims it’s packed (i.e. a lot of the warnings say “Packer.FSG.A”).
- Secondly, the ONLY two imports that exist within the file are “LoadLibraryA” and “GetProcAddress” which are the two imports associated with unpacking an executable.
- Moreover, we have sections identified by PEiD as having a raw size of 0 and a virtual size of larger. It’s definitely packed.
-
Imports hinting at functionality?
- can’t really answer without unpacking
-
indicators?
- can’t really answer without unpacking
1.4
-
VT? 53/67
-
Obfuscations?
Ida disassembled it just fine. It has lots of imports. That’s reason enough for me to believe it’s not obfuscated.
-
Program compilation date?
PEView tells us the compilation date is 8/30/2019, which is BS since it isn’t 2019. Clearly this is spoofed.
-
Imports hinting as to functionality?
- GetProcAddress/LoadLibraryA: searching for external code to run
- CreateFile/MoveFile/WriteFile: It’s got the ability to create and write assets/images/posts. Keylogger? Reverse shell?
- CreateRemoteThread: has ability to execute code in other programs. Process injection?
- LookupPrivilegeValue: looking to see what permissions its running with perhaps? All this, combined with the antivirus vendor tags that say “backdoor”, tell me this is probably a backdoor into a machine that will give an adversary control.
-
host/network based indicators?
- Ida Strings: \system32\wupdmgr.exe is in there, which suggests this malware writes or modifies a file at that location with that name. Same with \winup.exe (which, according to bleepingcomputer, is BAD and EVIL!
- No clue WHY Ida doesn’t show ALL the strings, but it doesn’t. Strings.exe found the string “http://practicalmalwareanalysis.com/updater.exe” in the program. This may be a host-based AND network-based indicator!
-
one resource in the resource section. Use ResourceHacker to examine it, and then to extract it. What does the resource tell us?
This appears to be another executable file. Saving it and submitting the hash resulted in interestingness:
Cool– we get TWO malware samples for the price of ONE! My guess is that this sample drops a second executable and names it one of the above things (perhaps winup.exe).
The book tells us that we can use Resource Hacker to save just the resource. “Action -> save resource as binary file” takes care of that.
