This is the last lab in the first chapter “BASIC STATIC TECHNIQUES”.
The lab file is Lab01–04.exe, let’s start to analyze it and answering the following questions to see what it hides:
Lab01–04.exe on VirusTotal
we also take a look at the strings and imports we see a lot, so obviously the file is not packed or obfuscated.
by PEview we see that the compile date is 30/8/2019, and this is fake because the book was published in February 2012.
so, I guess that the file is doing actions on the disk and files,
and there another function called WinExec, then the files that the exe creates and writes will be executed.
kernel32.dll imports.
we also see AdjustTokenPrivileges, LookupPrivilegeValueA, and it may be enables the exe to get higher privileges.
advapi32.dll imports.
This function downloads a file from the Internet to a local file quickly and easily. so obviously it downloads a file but, from where it will download it? and in which fill it will put?
fortunately, there are other strings that answer our questions, i found a URL that we will use as a network-indicator “http://practicalmalwareanalysis.com/updater.exe”
and a path which the malware will put the downloaded file in it “\system32\wupdmrgd.exe”
and in the binary file we get more information about the file, and we can see more imports and the original compile time.
We have finished solving the lab of the first chapter, I recommend you guys to download the tools and try solving the lab with yourselves,
The Second chapter has no labs it just teaches you how to setup your safe environment, it’s very important for you to not harm your personal machine, be safe.
The lab file is Lab01–04.exe, let’s start to analyze it and answering the following questions to see what it hides:
- Upload the Lab01–04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
- Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
- When was this program compiled?
- Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
- What host- or network-based indicators could be used to identify this malware on infected machines?
- This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
Question 1
Answer:
Virus Total tell us that the file is detected by 59 out of 71 vendors.
Lab01–04.exe on VirusTotal
Question 2
Answer:
By using Exeinfo PE, it says that the file is not packed, and is compiled by Microsoft Visual C++.
we also take a look at the strings and imports we see a lot, so obviously the file is not packed or obfuscated.
Question 3
Answer:
We can answer this question with PEStudio but let’s try another tool.by PEview we see that the compile date is 30/8/2019, and this is fake because the book was published in February 2012.
Question 4
there are functions like, WriteFile, CreateFileA, MoveFileA,
so, I guess that the file is doing actions on the disk and files,
and there another function called WinExec, then the files that the exe creates and writes will be executed.
kernel32.dll imports.
we also see AdjustTokenPrivileges, LookupPrivilegeValueA, and it may be enables the exe to get higher privileges.
advapi32.dll imports.
Question 5
we go to BinText to view the strings, and we see a lot in there, a function called URLDownloadToFile.
This function downloads a file from the Internet to a local file quickly and easily. so obviously it downloads a file but, from where it will download it? and in which fill it will put?
fortunately, there are other strings that answer our questions, i found a URL that we will use as a network-indicator “http://practicalmalwareanalysis.com/updater.exe”
and a path which the malware will put the downloaded file in it “\system32\wupdmrgd.exe”
Question 6
Answer:
using resource hacker, we save it as a binary file.
and in the binary file we get more information about the file, and we can see more imports and the original compile time.
We have finished solving the lab of the first chapter, I recommend you guys to download the tools and try solving the lab with yourselves,
The Second chapter has no labs it just teaches you how to setup your safe environment, it’s very important for you to not harm your personal machine, be safe.
