Dive into Practical Malware Analysis: Labs 1–2
A single undetected malware infection can compromise an entire network. Explore the methods used to analyze and prevent these stealthy threats from causing havoc.
Hi everyone! Today I’ll be continuing with the lab solutions. Make sure to stay safe and set up your virtual environment. This lab utilizes the file “Lab01–02.exe”(password for the files: infected), which are available for download via this link — https://drive.google.com/drive/folders/17Qgdtsilp2PJA1Uwqxg_xhjTt3cRHGep?usp=drive_link
I will utilize the tools and techniques discussed in the chapter to collect information about the files and address the questions given.
Question 1
Upload the Lab01–02.exe file to http://www.VirusTotal.com/. Does it match
any existing antivirus definitions?
Answer:
VirusTotal is used to scan documents to quickly identify potential malware or security threats by leveraging its database of known threats and multiple antivirus engines. After uploading the .exe file in VirusTotal it was first flagged as malicious by 59 security vendors which was 10 days ago.
I reanalyzed the file by clicking the button at the top right, and it was flagged as suspicious by 60 security vendors. Reanalysis is crucial as it helps identify new or updated threats that initial scans might miss.
Question 2
Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible.
Answer:
In my previous lab article, I used PEiD, but by employing Exeinfo PE, the tool referenced earlier, we can identify that the file is compressed with UPX and receive precise instructions on how to unpack it. Exeinfo PE provides a more thorough analysis and supports a broader range of packers and file types than PEiD, making it a more effective tool for examining executable files. You can download Exeinfo PE tool here.
We have access to functions for unpacking UPX files in Exeinfo PE, found under the Lamer info → Help Hint → Unpack info section. By following these instructions, I will unpack the file, producing a new executable. You can download the UPX tool here.
To extract the contents of this UPX-compressed executable file using the UPX command-line tool, you can use the following command: `.\upx -d -o Unpacked_Lab01–02.exe Lab01–02.exe`
You can quickly observe that the size of the .exe file has increased from 3,072 bytes (3 KB) to 16,384 bytes (16 KB).
Question 3
Do any imports hint at this program’s functionality? If so, which imports
are they and what do they tell you?
Answer:
After analyzing the packed and unpacked files using the Dependencies x64 tool, we can identify the various import functions present.
Malware’s Functionality
- Initial Infection and Installation:
The packed version likely uses obfuscation techniques to hide its true nature. It dynamically loads additional code or libraries and unpacks itself in memory. It might initially set up a basic execution environment and then proceed to install itself as a Windows service using `CreateServiceA`. - Persistence Mechanism:
Once unpacked, the malware installs itself as a service using functions like `CreateServiceA`, `StartServiceCtrlDispatcherA`, and `OpenSCManagerA`. This allows it to start automatically with Windows and maintain persistence. - Background Operations:
The use of multithreading (`CreateThread`) and timers (`CreateWaitableTimerA`, `SetWaitableTimer`) indicates that the malware performs background operations. It may schedule tasks, periodically check for commands from a remote server, or execute payloads at specific times. - Process Synchronization:
Mutexes (`CreateMutexA`, `OpenMutexA`) are used to prevent multiple instances of the malware from running simultaneously. This helps avoid conflicts and ensures stable operation. - Network Activities:
The malware opens network connections using `InternetOpenA` and `InternetOpenUrlA`, suggesting it can communicate with a command and control server, exfiltrate data, or download additional malicious payloads. - System Interaction:
Functions like `SystemTimeToFileTime` and `GetModuleFileNameA` may be used for time stamping, logging, or managing files related to the malware’s operations.
The malware in `LAB01–02` is designed for:
- Evasion and Obfuscation: Use packing techniques to hide its code and avoid detection.
- Persistence: Install itself as a Windows service to ensure it runs automatically and remains persistent.
- Background Operations: Utilize multithreading and timed operations to perform tasks discreetly and efficiently.
- Network Communication: Connect to remote servers for command and control, data exfiltration, or additional payloads.
- Synchronization: Use mutexes to manage instances and ensure stable execution.
The combination of these features indicates that the malware is designed to be resilient, stealthy, and capable of performing a variety of malicious activities while maintaining a persistent presence on the infected system.
Question 4
What host- or network-based indicators could be used to identify this
malware on infected machines?
PEiD is a popular tool used for analyzing and inspecting Portable Executable (PE) files, such as .exe and .dll files, on Windows. It can also be used to view strings embedded in these files. Download PEid tool here.
To view strings in a PE file using PEiD, open the program, go to `File > Open` to load the PE file, and once the file is loaded, click the arrow beside the “First Bytes” column and navigate to the `Strings` section to see the embedded strings.
From the strings, we can observe a network connection attempt to the URL http://www.malwareanalysisbook.com, indicating a network-based indicator. The connection is attempted via Internet Explorer, and there is also a reference to a “Malservice.”
For more insights on cybersecurity and ongoing threat analysis, follow my 𝕏 (Twitter) @itsdanielpius and Linkedin @itsdanielpius. Stay informed, stay vigilant, and together, let’s safeguard our digital world.
Thanks for reading!!!
