Lab summary questions

  1. Considering malware analysis as a whole, how important is it to a general aspiring analyst to complete this chapter’s exercises?

    Very important. Applying the dynamic analysis processes described in this chapter and becoming used to the tools discussed within is going to be helpful experience for when it comes to analyze just about any other piece of malware.

  2. What did doing the lab exercises teach that was not gained from reading the chapter?

    In this case, it was mainly just practice using the tools.

Challenges encountered in the labs

  • Using ProcMon to find imports wasn’t done quite how the book indicated it would be done– I didn’t have a way to launch “depends.exe” in the options generated from right clicking the malicious process. After consulting a post from Microsoft on how to view imports using ProcMon, it was made clear that all I needed to do was go to view -> click show lower pane, and then imports could be viewed in the lower pane for whatever process I had selected.

Lab Walkthrough (includes answers!)

3.1

Analyze the malware found in the file Lab03-01.exe using basic dynamic analysis tools.

  1. What are this malware’s imports and strings?

    Imports:

    3.1.1imports

    Strings:

    3.1.1strings

    Note that ProcExp found that the strings on the image as well as on disk were identical.

  2. What are the malware’s host-based indicators?

    It doesn’t create any assets/images/posts. It doesn’t seem to modify keys (for, say, persistence). I don’t see any evident host based indicators.

    This seems weird. The file crashes. At first I thought that was part of the operation of the file, but with no strange seeming imports and relatively normal strings and no indicators, the file seemed especially well-behaved. After looking into what the “error” message I recieved meant, I now know that the file doesn’t run well on a 64-bit Windows 7 VM.

    fail1

    And after reading up a little on what this cryptic error might have meant, and after trying the top answer in the question to no avail, I decided I needed to try it in a 32 bit environment.

    So, I spun up a 32-bit windows VM real quick and ran it again…:

    fail2

    Ugh. That’s probably not normal either. So, I looked into what someone else did and discovered an explanation that seemed to hint towards how this particular sample was built to leverage a Windows XP-specific function– one that was changed in Windows 7.

    No wonder this sample seemed well-behaved on the 64-bit version of Windows 7– it doesn’t do anything. Unfortunately, I don’t currently have access to a Windows XP .iso, so I’m going to have to put this problem on the backburner. In any case, after reading the answers and what jmprsp did, I’m thinking it wouldn’t have been too difficult to identify this malware’s pesky behavior in an environment in which the malware would actually properly run.

  3. Are there any useful network-based signatures for this malware? If so, what are they?

    Strings shows the presence of www.practicalmalwareanalysis.com but due to previously described problems, a true analysis of this sample could not be completed.

3.2

  1. How can you get this malware to install itself?

    After strictly reading this question, the first thing that comes to mind is we need to use rundll32.exe to run this file, but we need to know what DLL functions should be ran. If we use Ida to check out the exports, we find there exist a few:

    3.2.1dllexports)

    Install and installA look promising. Let’s try running Install with rundll32.exe and see what happens.

    First, I start up Procmon and…

    rundll32.exe Lab03-02.dll, Install

    3.2.2fail.PNG

    UGH. WHY.

    It doesn’t work on 32 bit versions of Windows 7 either, even when ran as an administrator. It looks like this is another piece of Windows XP-specific malware. Unfortunately, I cannot continue with this sample either. Review jmprsp’s work here and move on.

    We will return to this problem as soon as I hit chapter 5 (i.e. the Ida chapter), and identify the exact problem behind why it won’t run. Maybe it’s something that can be fixed.

  2. How would you get this malware to run after installation?

  3. How can you find the process under which this malware is running?

  4. Which filters could you set in order to use procmon to glean information?

  5. What are the malware’s host-based indicators?

  6. Are there any useful network-based signatures for this malware?

Realizations made after reading the book answers:

  • here

3.3

  1. What do you notice when monitoring this malware with Process Explorer?

    I notice that I get yet another Windows error. This time, it’s 0xc0000142. Frustrating.

    3.3.1svchostfail.PNG

    Although, the failure is coming from svchost.exe – NOT Lab03-03.exe. After running it again, I noticed that Lab03-03.exe appears to spawn this svchost.exe and then exits, which leaves svchost.exe a zombie process. I’m not sure what that svchost.exe is trying to do yet. We know it’s failing with error 0xc0000142, and if we look into what causes this error we find that it has something to do with system assets/images/posts not existing, which is indicative of another Windows XP vs 7 problem.

    In either case, however, running the program in a 32 bit environment yielded a different error than when in a 64 bit environment. Upon viewing the procmon logs on the 32-bit version, it looks like svchost, before crashing, successfully completes a lot of registry querying.

    Further, if we look at HOW svchost.exe is called, we notice it’s not called in any special way:

    3.3.2svchostcall.PNG

    Yet, it appears to be querying the entire registry. I don’t think this is svchost.exe’s main function. This smells like process injection, which could be what ends up causing the Windows error when this malware arrives at the functionality that is supposed to come after the registry querying. Further, process injection often works only for specific builds of Windows (i.e. injecting a process in Windows 7 may not work the same way as injecting a process in Windows XP). I think that’s why we receive a runtime error when running this in Windows 7.

  2. Can you identify any live memory modifications?

    If svchost didn’t unexpectedly crash, I would view the process properties from within procexp and compare the strings in the image to the strings on disk, and, as is confirmed by jmprsp in his post on ch3 lab3, we would find that they are indeed very different, which demonstrates process injection as well.

  3. What are the malware’s host-based indicators?

    This question would be easier to answer if the program ran correctly.

  4. What is the purpose of this program?

3.4

  1. What happens when you run this file?

    Running the file results in the file’s deleting itself! (FINALLY, MALWARE THAT RUNS PROPERLY IN A WINDOWS 7 ENVIRONMENT WOOOO).

    3.4.1proctree.PNG

    The process tree provided by ProcMon (view -> process tree) shows that cmd is spawned by Lab03-04.exe with a delete command for the initial binary. It doesn’t appear to do much more, despite the fact that there is lots of potential functionality, judging from the imported functions.

  2. What is causing the roadblock in dynamic analysis?

    If we look at the code using Ida, we see that it calls main passing in command line arguments…

    3.4.1callmain.PNG

    and that something happens if there is only one argument passed to the program (i.e. if no command line arguments are passed in).

    3.4.2main.PNG

    Perhaps this is the issue.

  3. Are there other ways to run this program?

    If we run the program on the command line (i.e. cmd.exe) we can easily pass in more arguments. However, without doing a deeper dive into what sorts of arguments it may require/need, we can’t further process what this program does. I suspect we’ll return to this program shortly after the Ida chapter.