Dive into Practical Malware Analysis: Labs 1–1
Make sure to establish a secure virtual environment before beginning the lab sessions. This lab utilizes the files “Lab01–01.exe” and “Lab01–01.dll” (password for the files: infected), which are available for download via this link: https://drive.google.com/drive/folders/1N9r5BlOBWUOHw-84n7MZSitVmU7Yv4lK?usp=drive_link
I will apply the tools and techniques outlined in the chapter to gather information about the files and respond to the questions provided.
QUESTION 1
Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
Answer:
After uploading the two files to VirusTotal on, it was found that the .exe file was identified as malicious by 57 security vendors, and the .dll file was flagged by 47 out of 74 security vendors. Therefore, it is evident that both files are malicious.
Question 2
When were these files compiled ?
Answer:
The tool that will be utilized to determine whether the file is compiled and it can sometimes reveal which specific program was used for compiling based on detected signatures and patterns within the executable is PEid.
PEview provides clarity on the compilation timestamp of files. It allows users to determine precisely “WHEN” files were compiled.
Open PEview and load the Portable Executable (PE) file. Go to the section that displays file headers, usually found under headings like “File Header” or “Optional Header”. Look for the “Time Date Stamp” or “Timestamp” field to see when the file was compiled or modified.
As a result, it is clear that:
.exe file was compiled on 2010/12/19 Sun 16:16:19 UTC
and .dll file was compiled on 2010/12/19 Sun 16:16:38 UTC
QUESTION 3
Are there any indications that either of these files is packed or obfuscated?
If so, what are these indicators?
Answer:
Earlier, we confirmed that the files were compiled using Microsoft Visual C++ 6.0. Similarly, we will use PEid to analyze packer signatures, strings, and section names to determine if either file shows signs of being packed or obfuscated.
After analyzing the files with PEiD and clicking on the “Extra Information” button located at the lower right of the PEiD user interface, we have determined that the files are not packed or obfuscated.
Question 4
Do any imports hint at what this malware does? If so, which imports
are they?
Answer:
Yes, when analyzing both .exe and .dll files using Dependencies x64 tool, we can observe the different import functions present, which are:
.exe Import Functions
These functions are essential for managing files in Windows programs. `CreateFileA` is used to create new files with specific names and access permissions. `MapViewOfFile` allows a program to load a file into memory for direct access and modification, while `UnmapViewOfFile` releases the file from memory once operations are complete. `FindFirstFileA` starts a search for files in a folder based on specified criteria, and `FindNextFileA` continues this search for subsequent matching files. Finally, `CopyFileA` duplicates a file’s contents from one location to another on the computer. These functions enable efficient file handling and manipulation within software applications.
.dll Import Functions
These functions, essential in software operations, are exploited by malware for malicious ends. `Sleep` delays execution to evade detection or coordinate with other malware. `CreateProcessA` spawns new processes for harmful tasks or launching more malware. `CreateMutexA` and `OpenMutexA` ensure only one malware instance runs, evading detection. `CloseHandle` releases resources or conceals malware presence. These tools enable malware to manipulate systems, avoid security, and stay active on compromised systems.
Questions 5
Are there any other files or host-based indicators that you could look for
on infected systems?
Upon examining the strings in the executable file (.exe), we discover a file named C:\windows\system32\kerne132.dll, which closely resembles kernel32.dll. This suggests that kerne132.dll is likely a malicious file attempting to disguise itself. It’s important to search for this file on infected systems to identify and mitigate potential threats.
Question 6
What network-based indicators could be used to find this malware on
infected machines?
Answer:
When we look at the strings inside Lab01–01.dll, we find an IP address. The malware tries to connect to this IP address, which serves as a network-based indicator.
To analyze each import specifically, we’ll utilize the “Strings” tool. Start by installing Sysinternals tools: download ‘SysinternalsSuite.zip’ from their official site and unzip it. Then, run the ‘Strings’ tool by double-clicking its .exe file in the extracted folder. To simplify access, you might want to add this folder’s path to your system’s PATH variable.
Question 7
What would you guess is the purpose of these files?
Answer:
Based on our analysis, the malware aims to create a backdoor for attackers by attempting to locate or duplicate kernel32.dll in C:\windows\system32\. Importing functions like CreateProcess and Sleep suggests these are used as backdoors. Strings like “exec” likely command the malware to execute programs via CreateProcess, while “sleep” directs it to pause activities. The malware also communicates with the IP address 127.26.152.13.
In conclusion, understanding malware behavior through thorough analysis is crucial for defending against evolving cyber threats. By dissecting its tactics, techniques, and procedures, we can strengthen our defenses and protect sensitive information from malicious actors. For more insights on cybersecurity and ongoing threat analysis, follow my 𝕏 (Twitter) @itsdanielpius. Stay informed, stay vigilant, and together, let’s safeguard our digital world.
Thanks for reading!!!
