Scribd
Upload
385 views9 pages

Practical Malware Analysis Lab Guide

The document provides details on analyzing various malware samples using shellcode_launcher.exe and IDA Pro. It discusses analyzing malware files that contain shellcode encoded and stored in different ways, shellcode that communicates over the network, drops and executes files, and provides a remote shell. The document also covers analyzing virtual function calls, determining if malware is compiled for x86 or x64, and how malware behaves differently on each platform.

Uploaded by

sonik sarungale
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
385 views9 pages

Practical Malware Analysis Lab Guide

The document provides details on analyzing various malware samples using shellcode_launcher.exe and IDA Pro. It discusses analyzing malware files that contain shellcode encoded and stored in different ways, shellcode that communicates over the network, drops and executes files, and provides a remote shell. The document also covers analyzing virtual function calls, determining if malware is compiled for x86 or x64, and how malware behaves differently on each platform.

Uploaded by

sonik sarungale
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd

Malware Analysis Practical

Practical No 10

a. Analyze the file [Link] using shellcode_launcher.exe

i. How is the shellcode encoded?


- The shellcode is stored with an alphabetic encoding; each payload byte is stored in the low nibble
of two encoded bytes.

ii. Which functions does the shellcode manually import?


- The shellcode resolves the following functions:
 LoadLibraryA, GetSystemDirectoryA , TerminateProcess , GetCurrentProcess , WinExec ,
URLDownloadToFileA

iii. What network host does the shellcode communicate with?


- The shellcode downloads this URL:
[Link]

iv. What filesystem residue does the shellcode leave?


- The shellcode writes %SystemRoot%\System32\[Link] and executes it.

v. What does the shellcode do?


- The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk,
and executes it.
b. The file [Link] contains a piece of shellcode that will be injected into
another process and run. Analyze thisfile.

i. What process is injected with the shellcode?


- The program process-injects the default web browser, Internet Explorer.

ii. Where is the shellcode located?


- The shellcode buffer is located at 0x407030.

iii. How is the shellcode encoded?


- The shellcode is XOR’ed with the byte 0xe7.

iv. Which functions does the shellcode manually import?


- The shellcode manually imports the following functions:
 LoadLibraryA, CreateProcessA , TerminateProcess , GetCurrentProcess , WSAStartup,
WSASocketA, connect

v. What network hosts does the shellcode communicatewith?


- The shellcode connects to IP [Link] on TCP port 13330.

vi. What does the shellcode do?


- The shellcode provides a remote shell ([Link]).
c. Analyze the file [Link]. If you get stuck and can’t find the shellcode, just
skip that part of the lab and analyze file Lab19-03_sc.bin using
shellcode_launcher.exe.

i. What exploit is used in this PDF?


- The PDF contains an example of CVE-2008-2992: buffer overflow related to Adobe Reader’s
[Link] JavaScript implementation.

ii. How is the shellcode encoded?


- The shellcode is encoded using JavaScript’s percent-encoding and is stored along with the
JavaScript in the PDF.

iii. Which functions does the shellcode manually import?


- The shellcode manually imports the following functions:
LoadLibraryA, CreateProcessA, TerminateProcess, GetCurrentProcess, GetTempPathA,
SetCurrentDirectoryA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, CloseHandle,
GlobalAlloc, GlobalFree, ShellExecuteA.

iv. What filesystem residue does the shellcode leave?


- The shellcode creates the files %TEMP%\[Link] and %TEMP%\[Link].

v. What does the shellcode do?


- The shellcode extracts two files stored encoded within the malicious PDF and writes them to the
user’s %TEMP% directory. It executes the [Link] file and opens the [Link] document with the
default handler.
d. The purpose of this first lab is to demonstrate the usage of the thispointer.
Analyze the malware in [Link].

i. Does the function at 0x401040 take any parameters?


- The function at 0x401040 does not take any parameters, but it is passed a reference to an object in
ECX that represents the this pointer.

ii. Which URL is used in the call to URLDownloadToFile?


- The call to URLDownloadToFile uses [Link] as the
URL.

iii. What does this program do?


- This program downloads a file from a remote server and stores it as c:\[Link] on the
local system.
e. Analyze the malware In [Link].

i. What can you learn from the interesting strings in this program?
- The most interesting strings are [Link] and Home ftp client, which
indicate that this program may be FTP client software.

ii. What do the imports tell you about this program?


- The imports FindFirstFile and FindNextFile indicate that the program prob
ably searches through the victim’s filesystem. The imports InternetOpen,
InternetConnect, FtpSetCurrentDirectory, and FtpPutFile tell us that this mal
ware may upload files from the victim machine to a remote FTP server.

iii. What is the purpose of the object created at 0x4011D9? Does it have any virtual functions?
- The object created at 0x004011D9 represents a .doc file. It has one virtual function at offset
0x00401440, which uploads the file to a remote FTP server.

iv. Which functions could possibly be called by the call [edx]instruction at 0x401349?
- The virtual function call at 0x00401349 will call one of the virtual functions at 0x00401380,
0x00401440, or 0x00401370.

v. How could you easily set up the server that this malware expects in order to fully analyze the
malware without connecting it to the Internet?
- This malware connects to a remote FTP server using high-level API functions. We could download
and set up a local FTP server, and redirect DNS requests to that server in order to fully exercise this
malware.

vi. What is the purpose of this program?


- This program searches the victim’s hard drive and uploads all the files with a .doc or .pdf extension
to a remote FTP server.

vii. What is the purpose of implementing a virtual function call in this program?
- The purpose of implementing a virtual function call is to allow the code to execute different upload
functions for different file types.

f. Analyze the malware in [Link].

i. What can you learn from the interesting strings in this program?
- Several strings that look like error messages (Error sending Http post, Error sending Http get, Error
reading response, and so on) tell us that this program will be using HTTP GET and POST
commands. We also see HTML paths (/[Link], /[Link], and so on), which hint at the files that
this malware will attempt to open.

ii. What do the imports tell you about this program?


- Several WS2_32 imports tell us that this program will be communicating over the network. An
import to CreateProcess suggests that this program may launch another process.

iii. At 0x4036F0, there is a function call that takes the string Config error, followed a few
instructions later by a call to CxxThrowException. Does the function take any parameters
other than the string? Does the function return anything? What can you tell about this
function from the context in which it’s used?
- The function called at 0x4036F0 does not take any parameters other than the string, but ECX
contains the this pointer for the object. We know the object that contains the function is an exception
object because that object is later used as a parameter to the CxxThrowException functions. We can
tell from the context that the function at 0x4036F0 initializes an exception object, which stores a
string that describes what caused the exception.

iv. What do the six entries in the switch table at 0x4025C8 do?
- The six entries of the switch table implement six different backdoor commands: NOOP, sleep,
execute a program, download a file, upload a file, and survey the victim.

v. What is the purpose of this program?


- The program implements a backdoor that uses HTTP as the command channel and has the ability to
launch programs, download or upload a file, and collect information about the victim machine.

g. Analyze the code in [Link]

i. What happens when you run this program without any parameters?
- When you run the program without any parameters, it exits immediately.

ii. Depending on your version of IDA Pro, main may not be recognized automatically. How can
you identify the call to the main function?
- The main function is located at 0x00000001400010C0. You can spot the call to main by looking for
a function call that accepts an integer and two pointers as parameters.

iii. What is being stored on the stack in the instructions from 0x0000000140001150 to
0x0000000140001161?
- The string [Link] is stored on the stack.
iv. How can you get this program to run its payload without changing the filename of the
executable?
- To have this program run its payload without changing the filename of the executable, you can
patch the jump instruction at 0x0000000140001213 so that it is a NOP instead.

v. Which two strings are being compared by the call to strncmp at 0x0000000140001205?
- The name of the executable is being compared against the string [Link] by the call to strncmp at
0x0000000140001205.

vi. Does the function at 0x00000001400013C8 take any parameters?


- The function at 0x00000001400013C8 takes one parameter, which contains the socket created to
the remote host.

vii. How many arguments are passed to the call to CreateProcess at 0x0000000140001093?
How do you know?
- The call to CreateProcess takes 10 parameters. We can’t tell from the IDA Pro listing because we
can’t distinguish between things being stored on the stack and things being used in a function call,
but the function is documented in MSDN as always taking 10 parameters.

h. Analyze the malware found in [Link] on both x86 and x64 virtual
machines.

i. What is interesting about the malware’s resource sections?


- The malware contains the resource sections X64, X64DLL, and X86. Each of the resources
contains an embedded PE file.

ii. Is this malware compiled for x64 or x86?


- [Link] is compiled for a 32-bit system. This is shown in the PE header’s Characteristics
field, where the IMAGE_FILE_32BIT_MACHINE flag is set.

iii. How does the malware determine the type of environment in which it is running?
- The malware attempts to resolve and call IsWow64Process to determine if it is running on an x64
system.

iv. What does this malware do differently in an x64 environment versus an x86 environment?
- On an x86 machine, the malware drops the X86 resource to disk and injects it into [Link]. On
an x64 machine, the malware drops two files from the X64 and X64DLL resource sections to disk
and launches the executable as a 64-bit process.

v. Which files does the malware drop when running on an x86 machine? Where would you find
the file or files?
- On an x86 system, the malware drops [Link] into the Windows system directory, which will
typically be C:\Windows\System32\.

vi. Which files does the malware drop when running on an x64 machine? Where would you
find the file or files?
- On an x64 system, the malware drops [Link] and [Link] into the Windows system
directory, but because this is a 32-bit process running in WOW64, the directory is
C:\Windows\SysWOW64\.

vii. What type of process does the malware launch when run on an x64 system?
- On an x64 system, the malware launches [Link], which is a 64-bit process. You can see
this in the PE header, where the Characteristics field has the IMAGE_FILE_64BIT_MACHINE flag
set.

viii. What does the malware do?


- On both x64 and x86 systems, the malware performs DLL injection into [Link]. On an x64
system, it drops and runs a 64-bit binary to inject a 64-bit DLL into the 64-bit running [Link].
On an x86 system, it injects a 32-bit DLL into the 32-bit running [Link].

Common questions

Powered by AI

The program in Lab20-01.exe downloads a file from the specified URL http://www.practicalmalwareanalysis.com/cpp.html and stores it as c:\tempdownload.exe on the local system . This behavior indicates that the program's primary function is to act as a downloader, likely facilitating the installation of additional malicious payloads or updates by fetching them from an external server. The reliance on external resources signifies that the program is part of a broader attack framework designed to maintain and disseminate malware flexibly.

In Lab20-02.exe, virtual function calls are used to execute different upload functions for different file types, as demonstrated by the function call at 0x00401349 . This use of polymorphism enables the malware to dynamically choose which file handling and upload routines to execute based on the type of file it is processing, allowing for more flexible and efficient file operations in its data exfiltration process. This design choice reflects an adaptive and sophisticated approach to implementing varied functionality sizes.

The use of HTTP as a command channel in the backdoor allows malware to blend its traffic with normal web traffic, making detection more challenging . Such design complicates traditional network-based intrusion detection systems that differentiate between malicious and benign traffic based on protocol. It also enables remote control over internet-based infrastructure, facilitating command execution, data exfiltration, and system surveying. To mitigate these risks, more sophisticated behavioral analysis of network traffic and anomaly detection mechanisms are required to identify traffic patterns indicative of malware communication channels.

Analysts should consider the possible dual-payload strategy used by malware when adjusting for system architecture, as seen in Lab21-02.exe, which involves different actions for x86 and x64 environments . This includes maintaining access to both 32-bit and 64-bit virtual machines for testing, ensuring that analysis tools are capable of handling variations in file execution paths and behavior, and understanding how the presence of different resource sections might affect the malware's operational strategy. Analysts need to simulate both environments fully and utilize tooling that accurately depicts different execution contexts to uncover the full scope of the malware's capabilities. This requires robust systems for capturing and analyzing resource drops, memory injections, and process manipulations across varied architectures.

The shellcode in Lab19-02.exe communicates with IP address 192.168.200.2 on TCP port 13330 . This communication suggests that the malware authors intend to create a controlled environment for remote interactions, potentially for maintaining a backdoor into the system. Such communication patterns indicate the authors' desire for stealthy access and control, possibly to execute commands or exfiltrate data from the infected system.

The shellcode in Lab19-03.pdf extracts two files encoded within the malicious PDF, writes them to the user's %TEMP% directory as foo.exe and bar.pdf, executes foo.exe, and opens bar.pdf with the default handler . These tasks support the malware's objectives by propagating the execution of additional malicious payloads (foo.exe) and possibly presenting decoy content (bar.pdf) to divert user attention or imply legitimacy, enhancing the malware's persistence and deceit.

The shellcode in Lab19-01.bin is encoded using an alphabetic encoding method where each payload byte is stored in the low nibble of two encoded bytes . This encoding makes the shellcode less likely to be detected by basic signature-based detection systems since the raw payload bytes are obfuscated. Security systems that only search for known byte patterns would likely miss this type of encoding, requiring more advanced analysis techniques to identify the shellcode's presence and purpose.

When run without parameters, the program in Lab21-01.exe exits immediately . This behavior suggests the malware is designed to require specific inputs or conditions to activate its malicious payload, indicating an effort to avoid detection during casual inspections by relying on parameter-based execution. It likely aims to complicate static analysis and reverse engineering by researchers without the right invocation context.

The imports used by Lab20-02.exe, such as FindFirstFile, FindNextFile, InternetOpen, InternetConnect, FtpSetCurrentDirectory, and FtpPutFile, indicate that this malware may conduct searches through the victim's filesystem and upload files to a remote FTP server . This suggests that the malware's primary impact is exfiltrating data, specifically document files, from infected systems to locations controlled by the attackers. These capabilities underscore the potential for significant data breaches, affecting user privacy and organizational confidentiality.

The malware in Lab21-02.exe uses the IsWow64Process function to determine if it is running on an x64 system . Depending on the environment, it performs different actions: on an x86 machine, it drops the X86 resource as Lab21-02.dll and injects it into explorer.exe; on an x64 machine, it drops two files, Lab21-02x.dll and Lab21-02x.exe, from the X64 and X64DLL resources, launching the latter as a 64-bit process to perform DLL injection . These actions demonstrate how the malware adapts its payload and execution tactics based on the detected system architecture, optimizing its efficacy across different platforms.

You might also like