Practical Malware Analysis 1 - 1

[dax050]

Remember to setup your safe environment before digging into the labs.

This lab comes with two files Lab01–01.exe and Lab01–01.dll., I will use the tools and the basic static analysis technique that’ve been mentioned in the chapter to answer the questions.

Question 1​

Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

Answer:​

Uploading the two files to virus total we see that the .exe file got flagged malicious by 54 security vendors and the .dll file got flagged by 44 out of 70 security vendors, so obviously those are malicious files.

.exe file

.dll file

Question 2​

When were these files compiled?

Answer:​

Using PEStudio we will know the answer by importing both files into it and we will find this information in compiler-stamp tab

.exe file

.dll file
So, we see that.
the .exe file was compiled at Sun Dec 19 16:16:19 2010
and the .dll file compiled at Sun Dec 19 16:16:38 2010

Question 3​

Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

Answer:​

No, there’s no indicators these files are packed or obfuscated, using Exeinfo PE we see that files are compiled with Microsoft Visual C++ version 6, and in the unpack info section it says that the files are not packed.

.exe file

.dll file
with viewing the strings of the executable file, we see a lot of strings

.exe file strings

Question 4​

Do any imports hint at what this malware does? If so, which imports are they?

Answer:​

Yes, by analyzing Lab01–01.exe with PEStudio we can see the following functions:

• CreateFileA
• FindNextFileA
• FindFirstFileA
• CopyFileA

and with the .dll file we see the following:

• kernel32.dll
• ws2_32.dll
• msvcrt.dll

ws2_32.dll import, is a network dll it most likely connects to a network or performs network-related tasks,
so maybe the malware connects to a network or Ip address.

.exe file

.dll file

Question 5​

Are there any other files or host-based indicators that you could look for on infected systems?

Answer:​

By viewing the strings of the executable file, we find the file C:\windows\system32\kerne132.dll , that looks too similar to kernel32.dll, so the file kerne132.dll is obviously malicious and try to disguise itself,
we will look for it on infected systems.

Question 6​

What network-based indicators could be used to find this malware on
infected machines?

Answer:​

by Examining the strings in Lab01–01.dll we find an Ip address, so we can use it as a network-based indicator and the malware tries to communicate with it.

Question 7​

What would you guess is the purpose of these files?

Answer:​

After all we obtained by the basic static analysis, I would guess that the purpose of the malware is to give the attacker backdoor to the machine, based on the imports we see that the executable file searches for C:\windows\system32\kerne132.dll file and if it doesn’t exist it tries to copy it. it also communicates with the Ip address we found 127.26.152.13.

Click to read more...