Hello, guys today I will continue solving the labs, remember to be safe and setup your virtual environment, at the end I will attach links to the tools I’ve used so you also can try digging to the labs by yourselves.
as we know I will only use the techniques that the book mentioned and not going so far.
this lab comes with only 1 file Lab01–02.exe.
there are some questions we need to answer to know what this file do:
by uploading it we see that it matches 56/71, so it’s malicious.
Lab01–02.exe
Lab01–02.exe
By using the instructions, we have. I’ll unpack it and it will give us a new file.
Lab01–02.exe Unpacked
we see that it’s size has become much bigger.
and the following functions:
and we see some interesting text in here, “MalService” Function and a URL “http://www.malwareanalysisbook.com”, and the malware will use this function to connect to the URL.
as we know I will only use the techniques that the book mentioned and not going so far.
this lab comes with only 1 file Lab01–02.exe.
there are some questions we need to answer to know what this file do:
- Upload the Lab01–02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
- Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible. - Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
- What host- or network-based indicators could be used to identify this malware on infected machines?
Question 1
Upload the Lab01–02.exe file to http://www.VirusTotal.com/. Does it match
any existing antivirus definitions?
Answer:
The purpose of this step is to know if the malware been identified before and search for it if other analysts made an analysis for it so you can check it.by uploading it we see that it matches 56/71, so it’s malicious.
Lab01–02.exe
Question 2
Are there any indications that this file is packed or obfuscated? If so,
what are these indicators? If the file is packed, unpack it if possible.
Answer:
By using Exeinfo PE the tool that I’ve mentioned before, we see that the file is packed by UPX and it told me to how to unpack it.Lab01–02.exe
By using the instructions, we have. I’ll unpack it and it will give us a new file.
Lab01–02.exe Unpacked
we see that it’s size has become much bigger.
Question 3
Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Answer:
We see the following libraries:- ADVAPI32.DLL
- KERNEL32.DLL
- MSVCRT.DLL
- WININET.DLL
and the following functions:
- InternetOpenUrlA
- InternetOpenA
- CreateService
- StartServiceCtrlDispatcher
- OpenSCManagerA
- SystemTimeToFileTime
- SetWaitableTimer
Question 4
What host- or network-based indicators could be used to identify this
malware on infected machines?
Answer:
After unpacking the file, we see a lot of Strings’ve been appeared, let’s look at them using BinText.and we see some interesting text in here, “MalService” Function and a URL “http://www.malwareanalysisbook.com”, and the malware will use this function to connect to the URL.