Wednesday, April 4, 2018

Practical Malware analysis tutorial - Part 1 - Basic Static analysis - Labs walkthrough

Lab Walkthroughs:


Lab 1-1:
  1. Upload Lab01-01.exe annd Lab01-01.dll to VirusTotal. You'll see that both of them are identified as Trojan/Win32 variant.
  2. Looking at the TimeDateStamp field of File Header, the compile timestamp is 0x4D0E2FD3 (Sun Dec 19 21:46:19 2010) and 0x4D0E2FE6 (Sun Dec 19 21:46:38 2010)
  3. Looking at the strings and Import directory there doesn't seem to be any indication that the exe and dll are packed or obfuscated.
  4. The exe imports mainly file based API, which indicates it searches for files. The DLL has imports from WS2_32.dll, which indicate that it has some functionality related to networking.
  5. Looking at the strings of both samples, one host based indicator is "C:\Windows\system32\kerne132.dll"
  6. Connections to the IP address 127.26.152.13 can be considered as network based indicator.
  7. Probably the purpose of these samples would be to search for any files and send them over to a remote host.


Lab 1-2:

  1. The sample is being identified as a Win32.Trojan.Downloader variant on VirusTotal.
  2. From the Import Directory, we can see that LoadLibrary, VirtualAlloc, GetProcAddress are present. This almost always means that the code is packed and these APIs are used to unpack the code into memory. Also, the sections are named UPX0, UPX1, UPX2 which indicates UPX packer has been used to pack this executable. The file can be unpacked by running the UPX utility to unpack.
  3. The imports CreateService and InternetOpenUrl indicate that the malware may create a service and connect to a URL.
  4. The service MalService can be checked. Also, network traffic to http://www.malwareanalysisbook.com can be checked for identifying infection.
Lab 1-3:

  1. VirusTotal detects the sample as a generic Windows trojan.
  2. It looks like the sample is packed because of the very low number of imports and no meaningful strings inside it. CFF explorer detects that it is packed by FSG packer.
  3. Only LoadLibrary and GetProcAddress are present in the imports. So, nothing much could be said about the functionality of the actual application without unpacking this sample.
  4. No host or network based indicators can be determined.
Lab 1-4:
  1. VirusTotal detects this sample as a generic Windows downloader.
  2. The sample is not packed as there is no obfuscation of import directory or the strings.
  3. The compile timestamp is Sat Aug 31 03:56:59 2019.
  4. Imports such as FindResource, LoadResource, CreateProcess, OpenProcess indicate that the sample may be loading another executable from its resource section and executing it.
  5. \system32\wupdmgrd.exe, http://www.practicalmalwareanalysis.com/updater.exe are some of the indicators.
  6. The resource section contains another PE executable which has functionality to download a file from the Internet.

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)