Let’s kick it off. The first chapter of PMA was an introduction to Basic Static Analysis. Although there’s a unique set of tools used in the book, I’d be improvising and testing other tools which might achieve the same purpose.
Tooling
I’ll be using the following tools/services for this chapter: [I’m diverting from the toolset used by the author… mainly because they’re outdated]
- PEStudio
- PEView
- PEID
- ExeInfoPE
- VirusTotal
Exercise 1
| Hash | Filename |
|---|---|
| BB7425B82141A1C0F7D60E5106676BB1 | Lab01-01.exe |
| 290934C61DE9176AD682FFDD65F0A669 | Lab01-01.dll |
Question Number 1: Upload the files to https://www.virustotal.com/ and view the reports. Does either file match any existing antivirus signatures?
Well, it’s been years since the first upload so we should expect some results.
As of writing, the PE executable file (.exe) matches 50 antivirus signatures. Conversely, the DLL file matches 41 antivirus signatures.
Question Number 2: When were these files compiled?
We can use PEStudio for this. However, I’ll stick to VirusTotal. Scroll down in the Details tab and look for the Compilation Timestamp.
LAB01-01.exe: 2010-12-19 16:16:19
LAB01-01.dll: 2010-12-19 16:16:38
That’s close.
Question Number 3: Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
No, neither of the two appear to be packed or obfuscated. Although the PE files don’t import any libraries directly, we can still clearly see the imports in the strings. No strings appear to be obfuscated to thwart static analysis either.
Question Number 4: Do any imports hint at what this malware does? If so, which imports are they?
PE DLL:
Looking at the clear-text strings, we can see several libraries being mentioned. A few imports include:
- CreateMutex: Creation of a mutex on the host
- CreateProcess: Launch a process on the host
It also includes imports like WS2_32.dll which includes networking API calls. Since there’s an IP address amongst the strings too, it likely connects over the network by launching a process of itself.
PE EXE:
Imports include:
- CreateFile: Create a file on disk
- CopyFile: Copy a file
- FindNextFile/FindFirstFile: Used to traverse directories in search of files
This malware appears to be traversing directories and copying files to/from source/destination. Potentially used to exfiltrate data from the infected system.
Question Number 5: Are there any other files or host-based indicators that you could look for on infected systems?
So, if you review strings in the EXE file; there’s a kerne1_32.dll trying to masquerade as the legitimate kernel32.dll. Well, that’s one awesome indicator for Incident Responders to look for on other potentially compromised hosts.
Some low-hanging fruit: (not bound to be very fruitful though)
- Hashes
- Filenames
Question Number 6: What network-based indicators could be used to find this malware on infected machines?
From the DLL file, we can find an IP address:
- 127.26.152.13
Question Number 7: What would you guess is the purpose of these files?
The EXE file appears to be traversing directories and copying files. The DLL file appears to launch a process, create a mutex to mark an infected host, and establish connection to an IP address. The two are likely linked as the EXE file mentions the DLL file within itself. I’d say the EXE file is used to drop and kick the DLL into action which acts as a backdoor on the compromised system (since it ultimately allows the C2 to contact back).
Exercise 2
| Hash | Filename |
|---|---|
| 8363436878404DA0AE3E46991E355B83 | Lab01-02.exe |
Question Number 1: Upload the files to https://www.virustotal.com/ and view the reports. Does either file match any existing antivirus signatures?
As of writing, the PE executable file (.exe) matches 54 antivirus signatures.
Question Number 2: Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Yes, the file appears to be packed as we open it in PEStudio. Reviewing the sections in the PE file, we can see typical UPX sections replacing standard .TEXT, .DATA or other PE sections. We can also deduce that from the differences in raw and virtual addresses of sections in the PE file i.e., the raw size has been reduced wherein the virtual size (once the PE file is imported into memory) is much higher in comparison.
Let’s unpack it using UPX:
upx -d Lab01-02.exe
Here’s the hash of the unpacked executable:
| Hash | Filename |
|---|---|
| 31E8A82E497058FF14049CF283B337EC51504819 | Lab01-02_unpacked.exe |
Question Number 3: Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Notable imports from the PE include:
- CreateService: Create a service on the host
- OpenSCManager: Returns handle to the service control manager’s database which is in turn used by
CreateServicecalls - CreateThread: Launch a new thread in a process
- InternetOpen/InternetOpenUrl: Initialization of network functions and returning handles to URL (mentioned within the malware as well)
Question Number 4: What host- or network-based indicators could be used to identify this malware on infected machines?
Two indicators are quite noticeable. The URL, http[:]//www.malwareanalysisbook.com, and a potential service name, MalService.
Exercise 3
| Hash | Filename |
|---|---|
| 9C5C27494C28ED0B14853B346B113145 | Lab01-03.exe |
Question Number 1: Upload the files to https://www.virustotal.com/ and view the reports. Does either file match any existing antivirus signatures?
As of writing, the PE executable file (.exe) matches 59 antivirus signatures.
Question Number 2: Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Let’s open up the PE in PEStudio again. It does appear to be packed as can be seen from the differences in raw and virtual sizes of the PE along with unknown/unrecognized section names.
If you were to review the strings from the PE, they don’t make much sense too. Only a few exceptions exist; LoadLibrary and GetProcAddress are not obfuscated which suggests the PE might be loading libraries on run-time.
Question Number 3: Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
LoadLibrary and GetProcAddress are the two imports which we can see in clear-text strings in the PE file. The malware will attempt to load libraries on run-time which is a solid anti-analysis technique. Unpacking the malware will give us more insights.
Question Number 4: What host- or network-based indicators could be used to identify this malware on infected machines?
Static analysis doesn’t reveal much about the PE. We’ll need to perform dynamic analysis to get an idea of the PE’s capabilities or unpacking the malware might give us more insights.
Exercise 4
| Hash | Filename |
|---|---|
| 625AC05FD47ADC3C63700C3B30DE79AB | Lab01-04.exe |
Question Number 1: Upload the files to https://www.virustotal.com/ and view the reports. Does either file match any existing antivirus signatures?
As of writing, the PE executable file (.exe) matches 62 antivirus signatures.
Question Number 2: Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
No, the PE file isn’t packed or obfuscated.
Question Number 3: When was this program compiled?
We used VirusTotal to answer the same question in the first exercise. Let’s actually open up the PE file in PEStudio and review the file-header to see if a compiler timestamp is available for this file.
Lab01-04.exe: Sat Aug 31 03:26:59 2019 [PEStudio adds in more detail than what’s actually available i.e., 0x5D69A2B3]
P.S: The book was released in 2014. This can’t be true, can it?
Question Number 4: Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Yes, several imports suggest the malware can spawn processes, modify/create files, dynamically load resources and libraries, as well as identify/escalate privileges/permissions. [Mind you, my answers include strings/imports from the embedded resource as well]
Question Number 5: What host- or network-based indicators could be used to identify this malware on infected machines?
Host Indicators:
- updater.exe
- winup.exe
- \system32\wupdmgrd.exe
Network Indicators:
- hxxp://www.practicalmalwareanalysis.com/
Question Number 6: This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
- Compiler Timestamp: Sun Feb 27 05:16:59 2011
- Potentially the correct timestamp and the source malware could be placed around the same timestamp
- Connects to the internet to acquire, updater.exe from the aforementioned URL