Table of contents

Lab 1-1
Lab 1-2
Lab 1-3
Lab 1-4

some tools to use

Radare2 framework

Lab 1-1

Questions:

  1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
  2. When were these files compiled?
  3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
  4. Do any imports hint at what this malware does? If so, which imports are they?
  5. Are there any other files or host-based indicators that you could look for on infected systems?
  6. What network-based indicators could be used to find this malware on infected machines?
  7. What would you guess is the purpose of these files?

Answers:

1. VirusTotal signatures.

File name: Lab01-01.exe
Score: 36/66 
Last analysis:	2018-10-20 22:36:45 UTC
Community score:	-27
VirusTotal report

Detection results Name, Result AegisLab Trojan.Win32.Generic.4!c AhnLab-V3 Trojan/Win32.Agent.C957604 ALYac Trojan.Agent.16384SS Antiy-AVL Trojan/Win32.TSGeneric Avast Win32:Malware-gen AVG Win32:Malware-gen Avira HEUR/AGEN.1022518 CAT-QuickHeal Trojan.IGENERIC ClamAV Win.Malware.Agent-6342616-0 Cylance Unsafe Cyren W32/Trojan.CZAN-7287 Endgame malicious (high confidence) ESET-NOD32 a variant of Win32/Agent.WOM Fortinet W32/Agent.WOM!tr GData Win32.Trojan.Agent.RE19WZ Ikarus Trojan.Rogue K7AntiVirus Trojan ( 004b6b551 ) K7GW Trojan ( 004b6b551 ) Malwarebytes Trojan.SystemKiller MAX malware (ai score=98) McAfee RDN/Generic.grp McAfee-GW-Edition RDN/Generic.grp Microsoft Trojan:Win32/Aenjaris.CT!bit NANO-Antivirus Trojan.Win32.Generic.fhvmhd Palo Alto Networks generic.ml Qihoo-360 Win32/Trojan.8b5 Rising Trojan.Agent!8.B1E (CLOUD) Sophos ML heuristic Symantec Trojan.Gen.2 TheHacker Trojan/Agent.wom TrendMicro TROJ_GEN.R002C0CDH18 TrendMicro-HouseCall TROJ_GEN.R002C0CDH18 VBA32 Trojan.Tiggre Webroot W32.Malware.Gen Yandex Trojan.Agent!ibNK9H/HlPg Zillya Downloader.Amonetize.Win32.3112

Below the list of vendors which failed to identify

Ad-Aware Clean Alibaba Clean Arcabit Clean Avast Mobile Security Clean Babable Clean Baidu Clean BitDefender Clean Bkav Clean CMC Clean CrowdStrike Falcon Clean Cybereason Clean DrWeb Clean eGambit Clean Emsisoft Clean eScan Clean F-Prot Clean F-Secure Clean Jiangmin Clean Kaspersky Clean Kingsoft Clean Panda Clean SentinelOne Clean Sophos AV Clean SUPERAntiSpyware Clean TACHYON Clean Tencent Clean Trustlook Clean ViRobot Clean ZoneAlarm Clean Zoner Clean
File name: Lab01-01.dll Score: 29/66 Last analysis: 2018-10-23 00:38:22 UTC Community score: -139 VirusTotal report
Detection results Name, Result AegisLab Trojan.Win32.Generic.4!c ALYac Trojan.Agent.Waski Antiy-AVL Trojan/Win32.BTSGeneric Avast Win32:Malware-gen AVG Win32:Malware-gen Avira TR/Dldr.Waski.163840.1 CAT-QuickHeal Trojan.IGENERIC ClamAV Win.Malware.Agent-6369668-0 Cylance Unsafe Cyren W32/Trojan.PXBS-7022 Endgame malicious (high confidence) ESET-NOD32 a variant of Generik.TGEWDD Fortinet PossibleThreat GData Win32.Trojan.Agent.4L5OBS Ikarus Trojan.SuspectCRC MAX malware (ai score=96) McAfee GenericRXFO-RT!290934C61DE9 McAfee-GW-Edition GenericRXFO-RT!290934C61DE9 Microsoft Trojan:Win32/Occamy.C NANO-Antivirus Trojan.Win32.Waski.dtkvsp Qihoo-360 Win32/Trojan.54f Rising Trojan.Tilken!8.F605 (CLOUD) Symantec Trojan.Gen.2 TheHacker Trojan/Generik.TGEWDD TrendMicro TROJ_GEN.R002C0OER18 TrendMicro-HouseCall TROJ_GEN.R002C0OER18 Webroot W32.Gen.BT Yandex Trojan.Agent!l/HtSKjkET4 Zillya Adware.InstallCore.Win32.1036

Below the list of vendors which failed to identify

Ad-Aware Clean AhnLab-V3 Clean Alibaba Clean Arcabit Clean Avast Mobile Security Clean Babable Clean Baidu Clean BitDefender Clean Bkav Clean CMC Clean CrowdStrike Falcon Clean DrWeb Clean eGambit Clean Emsisoft Clean eScan Clean F-Prot Clean F-Secure Clean Jiangmin Clean K7AntiVirus Clean K7GW Clean Kaspersky Clean Kingsoft Clean Malwarebytes Clean Palo Alto Networks Clean Panda Clean SentinelOne Clean Sophos AV Clean Sophos ML Clean SUPERAntiSpyware Clean TACHYON Clean Tencent Clean TotalDefense Clean Trustlook Clean VBA32 Clean ViRobot Clean ZoneAlarm Clean Zoner Clean

2. When were these files compiled?

Read it manually -- refer to https://gist.github.com/bytefire/6696019

TODO

Not implemented yet;

Read with hexeditor

Read with python

Read with r2 types

The file "Lab01-01.dll" was compiled at Sun Dec 19 18:16:38 2010

$ rabin2 -I Lab01-01.dll 
arch     x86
baddr    0x10000000
binsz    163840
bintype  pe
bits     32
canary   false
retguard false
sanitiz  false
class    PE32
cmp.csum 0x000327be
compiled Sun Dec 19 18:16:38 2010
crypto   false
endian   little
havecode true
hdr.csum 0x00000000
linenum  true
lsyms    true
machine  i386
maxopsz  16
minopsz  1
nx       false
os       windows
overlay  false
pcalign  0
pic      false
relocs   false
signed   false
static   false
stripped true
subsys   Windows GUI
va       true
                

The file "Lab01-01.exe" was compiled at Sun Dec 19 18:16:19 2010

$ rabin2 -I Lab01-01.exe
arch     x86
baddr    0x400000
binsz    16384
bintype  pe
bits     32
canary   false
retguard false
sanitiz  false
class    PE32
cmp.csum 0x00007428
compiled Sun Dec 19 18:16:19 2010
crypto   false
endian   little
havecode true
hdr.csum 0x00000000
linenum  true
lsyms    true
machine  i386
maxopsz  16
minopsz  1
nx       false
os       windows
overlay  false
pcalign  0
pic      false
relocs   true
signed   false
static   false
stripped true
subsys   Windows CUI
va       true
                

3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

Can't say for sure. Entropy is under 5 for .text section for both files. But only a few functions are imported.
$ rabin2 -K entropy -S Lab01-01.exe 
[Sections]
Nm Paddr       Size Vaddr      Memsz Perms Checksum          Name
00 0x00001000  4096 0x00401000  4096 -r-x entropy=4.45086464 .text
01 0x00002000  4096 0x00402000  4096 -r-- entropy=1.13245206 .rdata
02 0x00003000  4096 0x00403000  4096 -rw- entropy=0.43885401 .data
                    
or with r2
$ r2 Lab01-01.exe 
 -- Welcome back, lazy human!
[0x00401820]> iSentropy
[Sections]
Nm Paddr       Size Vaddr      Memsz Perms Checksum          Name
00 0x00001000  4096 0x00401000  4096 -r-x entropy=4.45086464 .text
01 0x00002000  4096 0x00402000  4096 -r-- entropy=1.13245206 .rdata
02 0x00003000  4096 0x00403000  4096 -rw- entropy=0.43885401 .data

[0x00401820]> 
TODO: add entropy graphsentropy

4. Do any imports hint at what this malware does? If so, which imports are they?

Imports for exe file:

$ rabin2 -i Lab01-01.exe 
[Imports]
Num  Vaddr       Bind      Type Name
   1 0x00402000    NONE    FUNC KERNEL32.dll_CloseHandle
   2 0x00402004    NONE    FUNC KERNEL32.dll_UnmapViewOfFile
   3 0x00402008    NONE    FUNC KERNEL32.dll_IsBadReadPtr
   4 0x0040200c    NONE    FUNC KERNEL32.dll_MapViewOfFile
   5 0x00402010    NONE    FUNC KERNEL32.dll_CreateFileMappingA
   6 0x00402014    NONE    FUNC KERNEL32.dll_CreateFileA
   7 0x00402018    NONE    FUNC KERNEL32.dll_FindClose
   8 0x0040201c    NONE    FUNC KERNEL32.dll_FindNextFileA
   9 0x00402020    NONE    FUNC KERNEL32.dll_FindFirstFileA
  10 0x00402024    NONE    FUNC KERNEL32.dll_CopyFileA
   1 0x0040202c    NONE    FUNC MSVCRT.dll_malloc
   2 0x00402030    NONE    FUNC MSVCRT.dll_exit
   3 0x00402034    NONE    FUNC MSVCRT.dll__exit
   4 0x00402038    NONE    FUNC MSVCRT.dll__XcptFilter
   5 0x0040203c    NONE    FUNC MSVCRT.dll___p___initenv
   6 0x00402040    NONE    FUNC MSVCRT.dll___getmainargs
   7 0x00402044    NONE    FUNC MSVCRT.dll__initterm
   8 0x00402048    NONE    FUNC MSVCRT.dll___setusermatherr
   9 0x0040204c    NONE    FUNC MSVCRT.dll__adjust_fdiv
  10 0x00402050    NONE    FUNC MSVCRT.dll___p__commode
  11 0x00402054    NONE    FUNC MSVCRT.dll___p__fmode
  12 0x00402058    NONE    FUNC MSVCRT.dll___set_app_type
  13 0x0040205c    NONE    FUNC MSVCRT.dll__except_handler3
  14 0x00402060    NONE    FUNC MSVCRT.dll__controlfp
  15 0x00402064    NONE    FUNC MSVCRT.dll__stricmp
                    
Basing on the imports I can assume that this sample opens directory, iterates over files and when found one -- copies it and\or maps it into the memory.

Imports for dll file:

$ rabin2 -i Lab01-01.dll 
[Imports]
Num  Vaddr       Bind      Type Name
   1 0x10002000    NONE    FUNC KERNEL32.dll_Sleep
   2 0x10002004    NONE    FUNC KERNEL32.dll_CreateProcessA
   3 0x10002008    NONE    FUNC KERNEL32.dll_CreateMutexA
   4 0x1000200c    NONE    FUNC KERNEL32.dll_OpenMutexA
   5 0x10002010    NONE    FUNC KERNEL32.dll_CloseHandle
  23 0x10002030    NONE    FUNC WS2_32.dll_socket
 115 0x10002034    NONE    FUNC WS2_32.dll_WSAStartup
  11 0x10002038    NONE    FUNC WS2_32.dll_inet_addr
   4 0x1000203c    NONE    FUNC WS2_32.dll_connect
  19 0x10002040    NONE    FUNC WS2_32.dll_send
  22 0x10002044    NONE    FUNC WS2_32.dll_shutdown
  16 0x10002048    NONE    FUNC WS2_32.dll_recv
   3 0x1000204c    NONE    FUNC WS2_32.dll_closesocket
 116 0x10002050    NONE    FUNC WS2_32.dll_WSACleanup
   9 0x10002054    NONE    FUNC WS2_32.dll_htons
   1 0x10002018    NONE    FUNC MSVCRT.dll__adjust_fdiv
   2 0x1000201c    NONE    FUNC MSVCRT.dll_malloc
   3 0x10002020    NONE    FUNC MSVCRT.dll__initterm
   4 0x10002024    NONE    FUNC MSVCRT.dll_free
   5 0x10002028    NONE    FUNC MSVCRT.dll_strncmp
                    

Basing on imports list this dll creates mutex, initializes Windows Sockets system and starts communication with a server.

Mutex Object Mutex on MSDN

A mutex object is a synchronization object whose state is set to signaled when it is not owned by any thread, and nonsignaled when it is owned. Only one thread at a time can own a mutex object, whose name comes from the fact that it is useful in coordinating mutually exclusive access to a shared resource. For example, to prevent two threads from writing to shared memory at the same time, each thread waits for ownership of a mutex object before executing the code that accesses the memory. After writing to the shared memory, the thread releases the mutex object.

5. Are there any other files or host-based indicators that you could look for on infected systems?

Malware sample (exe) copies dll file into location "C:\Windows\System32\Kerne132.dll".

6. What network-based indicators could be used to find this malware on infected machines?

Communication with ip addr:127.26.152.13 is the indicator. Verbs are:
hello, exec, sleep,

7. What would you guess is the purpose of these files?

The exe file will load and run dll file, which will communicate with server and execute commands.



Lab 1-2

Questions:

  1. Upload the file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
  2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
  3. Do any imports hint at this program's functionality? If so, which imports are they and what do they tell you?
  4. What host or network-based indicators could be used to find this malware on infected machines?

Answers:

1. VirusTotal signatures.

File name: Lab01-02.exe
Score: 41/67 
Last analysis:	2018-10-30 01:24:01 UTC
Community score:	-166
VirusTotal report

Detection results Name, Result AegisLab, Troj.W32.Gen.lsXA AhnLab-V3, Trojan/Win32.StartPage.C26214 ALYac, Trojan.Startpage.3072 Antiy-AVL, Trojan/Win32.SGeneric Avast, Win32:Malware-gen AVG, Win32:Malware-gen Avira, TR/Downloader.Gen Baidu, Win32.Trojan-Clicker.Agent.ad CAT-QuickHeal, Trojan.Dynamer!ac ClamAV, Win.Malware.Agent-6350563-0 CrowdStrike Falcon, malicious_confidence_100% (W) Cybereason, malicious.cbcb77 Cylance, Unsafe Cyren, W32/Trojan.UCOC-9169 DrWeb, Trojan.Click3.12740 Endgame, malicious (moderate confidence) ESET-NOD32, Win32/TrojanClicker.Agent.NVM Fortinet, W32/Agent.NVM!tr GData, Win32.Trojan.Agent.JV4OJM Ikarus, Trojan.Win32.TrojanClicker Jiangmin, Trojan.Generic.fxlq Kingsoft, Win32.Malware.Heur_Generic.A.(kcloud) MAX, malware (ai score=98) McAfee, Generic.ait McAfee-GW-Edition, Generic.ait Microsoft, Trojan:Win32/Dynamer!ac NANO-Antivirus, Trojan.Win32.RP.cwxtpf Palo Alto Networks, generic.ml Qihoo-360, HEUR/Malware.QVM11.Gen Rising, Trojan.Clicker-Agent!8.13 (CLOUD) Sophos AV, Mal/Generic-S Sophos ML, heuristic Symantec, Trojan.Gen.2 Tencent, Win32.Trojan.Downloader.Dyzr TheHacker, Posible_Worm32 TrendMicro, TROJ_GEN.R002C0CHI18 TrendMicro-HouseCall, TROJ_GEN.R002C0CHI18 VBA32, Trojan.Click Webroot, ??? Yandex, Trojan.CL.Agent!SYJ1YyE/ZV4 Zillya, Trojan.Agent.Win32.549706

Below the list of vendors which failed to identify

Ad-Aware, Clean Alibaba, Clean Arcabit, Clean Avast Mobile Security, Clean Babable, Clean BitDefender, Clean Bkav, Clean CMC, Clean eGambit, Clean Emsisoft, Clean eScan, Clean F-Prot, Clean F-Secure, Clean K7AntiVirus, Clean K7GW, Clean Kaspersky, Clean Malwarebytes, Clean Panda, Clean SentinelOne, Clean SUPERAntiSpyware, Clean TACHYON, Clean TotalDefense, Clean Trustlook, Clean ViRobot, Clean ZoneAlarm, Clean Zoner, Clean Symantec Mobile Insight, Unable to process file type

2. Are there any indicatoins thet this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

To answer that question we can look to the entropy level of sections. Let's use rabin2 tool again to calculate entropy:

$ rabin2 -K entropy -S Lab01-02.exe 
[Sections]
Nm Paddr       Size Vaddr      Memsz Perms Checksum          Name
00 0x00000400     0 0x00401000 16384 -rwx entropy=0.00000000 UPX0
01 0x00000400  1536 0x00405000  4096 -rwx entropy=7.06718080 UPX1
02 0x00000a00   512 0x00406000  4096 -rw- entropy=2.79780427 UPX2
		

As we can see from the ouptut there is section called UPX1 with entropy close to 7, and that's pretty hight: 7/8. We can suppose that this section is packed.

Also the name istelf is worth mentioning, because it points us to UPX packer, so let's unpack that sample.

For this purposes we will need upx tool.

Also, let's look into imports

$ rabin2 -i Lab01-02.exe 
[Imports]
Num  Vaddr       Bind      Type Name
1 0x00406064    NONE    FUNC KERNEL32.DLL_LoadLibraryA
2 0x00406068    NONE    FUNC KERNEL32.DLL_GetProcAddress
3 0x0040606c    NONE    FUNC KERNEL32.DLL_VirtualProtect
4 0x00406070    NONE    FUNC KERNEL32.DLL_VirtualAlloc
5 0x00406074    NONE    FUNC KERNEL32.DLL_VirtualFree
6 0x00406078    NONE    FUNC KERNEL32.DLL_ExitProcess
1 0x00406080    NONE    FUNC ADVAPI32.dll_CreateServiceA
1 0x00406088    NONE    FUNC MSVCRT.dll_exit
1 0x00406090    NONE    FUNC WININET.dll_InternetOpenA

Hmm.. Not a lot. Seems that indeed it's packed.

So upx man page says that we can look inside with help of -l flag. Let's do that.

$ upx -l Lab01-02.exe 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     16384 ->      3072   18.75%    win32/pe     Lab01-02.exe
        

Let's decompress it with -d flag

$ upx -d Lab01-02.exe -oLab01-02.decompressed.exe
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2017
UPX 3.94        Markus Oberhumer, Laszlo Molnar & John Reiser   May 12th 2017

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
     16384 <-      3072   18.75%    win32/pe     Lab01-02.decompressed.exe

Unpacked 1 file.
        

Now we can check what we've got:

$ file Lab01-02.decompressed.exe 
Lab01-02.decopressed.exe: PE32 executable (console) Intel 80386, for MS Windows
        

3. Do any imports hint at this program's functionality? If so, which imports are they and what do they tell you?

Let's take this decompressed file and look into the imports

Now import table looks way much more better

$ rabin2 -i Lab01-02.decompressed.exe 
[Imports]
Num  Vaddr       Bind      Type Name
   1 0x00402010    NONE    FUNC KERNEL32.DLL_SystemTimeToFileTime
   2 0x00402014    NONE    FUNC KERNEL32.DLL_GetModuleFileNameA
   3 0x00402018    NONE    FUNC KERNEL32.DLL_CreateWaitableTimerA
   4 0x0040201c    NONE    FUNC KERNEL32.DLL_ExitProcess
   5 0x00402020    NONE    FUNC KERNEL32.DLL_OpenMutexA
   6 0x00402024    NONE    FUNC KERNEL32.DLL_SetWaitableTimer
   7 0x00402028    NONE    FUNC KERNEL32.DLL_WaitForSingleObject
   8 0x0040202c    NONE    FUNC KERNEL32.DLL_CreateMutexA
   9 0x00402030    NONE    FUNC KERNEL32.DLL_CreateThread
   1 0x00402000    NONE    FUNC ADVAPI32.dll_CreateServiceA
   2 0x00402004    NONE    FUNC ADVAPI32.dll_StartServiceCtrlDispatcherA
   3 0x00402008    NONE    FUNC ADVAPI32.dll_OpenSCManagerA
   1 0x00402038    NONE    FUNC MSVCRT.dll__exit
   2 0x0040203c    NONE    FUNC MSVCRT.dll__XcptFilter
   3 0x00402040    NONE    FUNC MSVCRT.dll_exit
   4 0x00402044    NONE    FUNC MSVCRT.dll___p___initenv
   5 0x00402048    NONE    FUNC MSVCRT.dll___getmainargs
   6 0x0040204c    NONE    FUNC MSVCRT.dll__initterm
   7 0x00402050    NONE    FUNC MSVCRT.dll___setusermatherr
   8 0x00402054    NONE    FUNC MSVCRT.dll__adjust_fdiv
   9 0x00402058    NONE    FUNC MSVCRT.dll___p__commode
  10 0x0040205c    NONE    FUNC MSVCRT.dll___p__fmode
  11 0x00402060    NONE    FUNC MSVCRT.dll___set_app_type
  12 0x00402064    NONE    FUNC MSVCRT.dll__except_handler3
  13 0x00402068    NONE    FUNC MSVCRT.dll__controlfp
   1 0x00402070    NONE    FUNC WININET.dll_InternetOpenUrlA
   2 0x00402074    NONE    FUNC WININET.dll_InternetOpenA
                

From the imports table we can see that malware uses CreateService, for creating windows service, CreateMutex for, surprisingly, creating a mutex to check if malware already was run, and InternetOpenUrl for opening new connection with remote server.

4. What host- or network-based indicators could be used to identify this malware on infected machines?

Host-based indicators: Presences of service called MalService and mutex called HGL345.
Network-based: Communication with host http://www.malwareanalysisbook.com.


Lab 1-3

Questions:

  1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
  2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
  3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
  4. What host- or network-based indicators could be used to identify this malware on infected machines?

Answers:

1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

File name: Lab01-03.exe
Score: 54/67
Last analysis:	2018-10-31 18:37:40 UTC
Community score:	-182
VirusTotal report
        
Detection results Name, Result 0 Ad-Aware, Packer.FSG.A 1 AegisLab, Trojan.Win32.Generic.4!c 2 ALYac, Packer.FSG.A 3 Antiy-AVL, Trojan/Win32.SGeneric 4 Arcabit, Packer.FSG.A 5 Avast, Win32:Malware-gen 6 AVG, Win32:Malware-gen 7 Avira, TR/Emoneg.4752 8 Baidu, Win32.Trojan-Clicker.Agent.z 9 BitDefender, Packer.FSG.A 10 CAT-QuickHeal, Trojan.Dynamer 11 CrowdStrike Falcon, malicious_confidence_100% (W) 12 Cybereason, malicious.94c28e 13 Cylance, Unsafe 14 Cyren, W32/SuspPack.DH.gen!Eldorado 15 DrWeb, Trojan.Click2.16518 16 Emsisoft, Packer.FSG.A (B) 17 Endgame, malicious (high confidence) 18 eScan, Packer.FSG.A 19 ESET-NOD32, Win32/TrojanClicker.Agent.NVN 20 F-Prot, W32/SuspPack.DH.gen!Eldorado 21 F-Secure, Packer.FSG.A 22 Fortinet, W32/Malware_fam.NB 23 GData, Packer.FSG.A 24 Ikarus, Trojan.Win32.Genome 25 Jiangmin, Trojan/Genome.bmbp 26 K7AntiVirus, Spyware ( 004ce65c1 ) 27 K7GW, Spyware ( 004ce65c1 ) 28 Kaspersky, Trojan.Win32.Agentb.bquu 29 Kingsoft, Win32.Troj.Genome.(kcloud) 30 Malwarebytes, Trojan.Agent.MWL 31 MAX, malware (ai score=100) 32 McAfee, RDN/Generic.dx!dfj 33 McAfee-GW-Edition, BehavesLike.Win32.Generic.xz 34 Microsoft, Trojan:Win32/Dynamer!ac 35 NANO-Antivirus, Trojan.Win32.Inor.getjo 36 Palo Alto Networks, generic.ml 37 Qihoo-360, Malware.Radar01.Gen 38 Rising, Trojan.Proxy.Win32.Small.gs (CLASSIC) 39 SentinelOne, static engine - malicious 40 Sophos AV, Mal/Packer 41 Sophos ML, heuristic 42 Symantec, Trojan.Gen.2 43 TACHYON, Trojan/W32.Small.4752.C 44 Tencent, Win32.Trojan.Agentb.Huzk 45 TheHacker, Trojan/Genome.ssrc 46 TrendMicro, TROJ_SPNR.30E214 47 TrendMicro-HouseCall, TROJ_SPNR.30E214 48 VBA32, Trojan.Tiggre 49 VIPRE, Trojan.Win32.Generic!BT 50 Webroot, W32.Genome.Ssrc 51 Yandex, Trojan.Genome!qjszR3auxbA 52 Zillya, Trojan.Genome.Win32.112441 53 ZoneAlarm, Trojan.Win32.Agentb.bquu

Below the list of vendors which failed to identify

54 AhnLab-V3, Clean 55 Alibaba, Clean 56 Avast Mobile Security, Clean 57 Babable, Clean 58 Bkav, Clean 59 ClamAV, Clean 60 CMC, Clean 61 eGambit, Clean 62 Panda, Clean 63 SUPERAntiSpyware, Clean 64 Trustlook, Clean 65 ViRobot, Clean 66 Zoner, Clean 67 Symantec Mobile Insight, Unable to process file type

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

Let's check it with rabin2 (make sure that you're using latest version):
$ rabin2 -v
rabin2 3.1.0-git 73 @ linux-x86-64 git.3.1.0-git
commit: 99641414fd9c936e8c082008317072e5fdbbc35c build: 2018-11-12__15:05:07
            
Here are the imports:
$ rabin2 -s Lab01-03.exe 
[Symbols]
Num Paddr      Vaddr      Bind     Type Size Name
001 0x00000f28 0x00405128   NONE   FUNC    0 imp.KERNEL32.dll_LoadLibraryA
002 0x00000f2c 0x0040512c   NONE   FUNC    0 imp.KERNEL32.dll_GetProcAddress
            
And sections:
$ rabin2 -S Lab01-03.exe 
[Sections]
Nm Paddr       Size Vaddr      Memsz Perms Name
00 0x00000000     0 0x00401000 12288 -rw- sect_0
01 0x00001000   652 0x00404000  4096 -rw- sect_1
02 0x00000e00   512 0x00405000  4096 -rw- sect_2
            
As we can see the sample imports only 2 functions: LoadLibrary and GetProcAddress -- too little for regular executable, so probably packed.
Also, there is no section .text or .data, so yeah, seems that sample is packed.
To make sure we can check the sample against YARA rule for packers from packers yara rules:
$ yara packer.yar Lab01-03.exe
packer.yar(9872): warning: $a0 is slowing down scanning
packer.yar(15986): warning: $a0 is slowing down scanning
FSGv10 Lab01-03.exe
FSGv100Engdulekxt Lab01-03.exe
FSGv110Engdulekxt Lab01-03.exe
            
As a result we can see that indeed this sample is packed with FSG packer.
To be honest, I spent a lot of time trying to find info about unpacking that file, looking throug the code with disassemblers and so on.
But turns out that that question isn't for improving your reversing skills, but for letting you understand that sometimes a sample could be tougher than you.

3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

4. What host- or network-based indicators could be used to identify this malware on infected machines?

We can not answer this questions without dynamic analysis


Lab 1-4

Questions:

  1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
  2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
  3. When was this program compiled?
  4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
  5. What host- or network-based indicators could be used to identify this malware on infected machines?
  6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?





Thanks to HK from MR group for motivation!