Questions:
Answers:
1. VirusTotal signatures.
File name: Lab01-01.exe Score: 36/66 Last analysis: 2018-10-20 22:36:45 UTC Community score: -27 VirusTotal reportFile name: Lab01-01.dll Score: 29/66 Last analysis: 2018-10-23 00:38:22 UTC Community score: -139 VirusTotal reportDetection results
Name, Result AegisLab Trojan.Win32.Generic.4!c AhnLab-V3 Trojan/Win32.Agent.C957604 ALYac Trojan.Agent.16384SS Antiy-AVL Trojan/Win32.TSGeneric Avast Win32:Malware-gen AVG Win32:Malware-gen Avira HEUR/AGEN.1022518 CAT-QuickHeal Trojan.IGENERIC ClamAV Win.Malware.Agent-6342616-0 Cylance Unsafe Cyren W32/Trojan.CZAN-7287 Endgame malicious (high confidence) ESET-NOD32 a variant of Win32/Agent.WOM Fortinet W32/Agent.WOM!tr GData Win32.Trojan.Agent.RE19WZ Ikarus Trojan.Rogue K7AntiVirus Trojan ( 004b6b551 ) K7GW Trojan ( 004b6b551 ) Malwarebytes Trojan.SystemKiller MAX malware (ai score=98) McAfee RDN/Generic.grp McAfee-GW-Edition RDN/Generic.grp Microsoft Trojan:Win32/Aenjaris.CT!bit NANO-Antivirus Trojan.Win32.Generic.fhvmhd Palo Alto Networks generic.ml Qihoo-360 Win32/Trojan.8b5 Rising Trojan.Agent!8.B1E (CLOUD) Sophos ML heuristic Symantec Trojan.Gen.2 TheHacker Trojan/Agent.wom TrendMicro TROJ_GEN.R002C0CDH18 TrendMicro-HouseCall TROJ_GEN.R002C0CDH18 VBA32 Trojan.Tiggre Webroot W32.Malware.Gen Yandex Trojan.Agent!ibNK9H/HlPg Zillya Downloader.Amonetize.Win32.3112Below the list of vendors which failed to identify
Ad-Aware Clean Alibaba Clean Arcabit Clean Avast Mobile Security Clean Babable Clean Baidu Clean BitDefender Clean Bkav Clean CMC Clean CrowdStrike Falcon Clean Cybereason Clean DrWeb Clean eGambit Clean Emsisoft Clean eScan Clean F-Prot Clean F-Secure Clean Jiangmin Clean Kaspersky Clean Kingsoft Clean Panda Clean SentinelOne Clean Sophos AV Clean SUPERAntiSpyware Clean TACHYON Clean Tencent Clean Trustlook Clean ViRobot Clean ZoneAlarm Clean Zoner CleanDetection results
Name, Result AegisLab Trojan.Win32.Generic.4!c ALYac Trojan.Agent.Waski Antiy-AVL Trojan/Win32.BTSGeneric Avast Win32:Malware-gen AVG Win32:Malware-gen Avira TR/Dldr.Waski.163840.1 CAT-QuickHeal Trojan.IGENERIC ClamAV Win.Malware.Agent-6369668-0 Cylance Unsafe Cyren W32/Trojan.PXBS-7022 Endgame malicious (high confidence) ESET-NOD32 a variant of Generik.TGEWDD Fortinet PossibleThreat GData Win32.Trojan.Agent.4L5OBS Ikarus Trojan.SuspectCRC MAX malware (ai score=96) McAfee GenericRXFO-RT!290934C61DE9 McAfee-GW-Edition GenericRXFO-RT!290934C61DE9 Microsoft Trojan:Win32/Occamy.C NANO-Antivirus Trojan.Win32.Waski.dtkvsp Qihoo-360 Win32/Trojan.54f Rising Trojan.Tilken!8.F605 (CLOUD) Symantec Trojan.Gen.2 TheHacker Trojan/Generik.TGEWDD TrendMicro TROJ_GEN.R002C0OER18 TrendMicro-HouseCall TROJ_GEN.R002C0OER18 Webroot W32.Gen.BT Yandex Trojan.Agent!l/HtSKjkET4 Zillya Adware.InstallCore.Win32.1036Below the list of vendors which failed to identify
Ad-Aware Clean AhnLab-V3 Clean Alibaba Clean Arcabit Clean Avast Mobile Security Clean Babable Clean Baidu Clean BitDefender Clean Bkav Clean CMC Clean CrowdStrike Falcon Clean DrWeb Clean eGambit Clean Emsisoft Clean eScan Clean F-Prot Clean F-Secure Clean Jiangmin Clean K7AntiVirus Clean K7GW Clean Kaspersky Clean Kingsoft Clean Malwarebytes Clean Palo Alto Networks Clean Panda Clean SentinelOne Clean Sophos AV Clean Sophos ML Clean SUPERAntiSpyware Clean TACHYON Clean Tencent Clean TotalDefense Clean Trustlook Clean VBA32 Clean ViRobot Clean ZoneAlarm Clean Zoner Clean
2. When were these files compiled?
TODO
Not implemented yet;
Read with hexeditor
Read with python
Read with r2 types
The file "Lab01-01.dll" was compiled at Sun Dec 19 18:16:38 2010
$ rabin2 -I Lab01-01.dll
arch x86
baddr 0x10000000
binsz 163840
bintype pe
bits 32
canary false
retguard false
sanitiz false
class PE32
cmp.csum 0x000327be
compiled Sun Dec 19 18:16:38 2010
crypto false
endian little
havecode true
hdr.csum 0x00000000
linenum true
lsyms true
machine i386
maxopsz 16
minopsz 1
nx false
os windows
overlay false
pcalign 0
pic false
relocs false
signed false
static false
stripped true
subsys Windows GUI
va true
The file "Lab01-01.exe" was compiled at Sun Dec 19 18:16:19 2010
$ rabin2 -I Lab01-01.exe
arch x86
baddr 0x400000
binsz 16384
bintype pe
bits 32
canary false
retguard false
sanitiz false
class PE32
cmp.csum 0x00007428
compiled Sun Dec 19 18:16:19 2010
crypto false
endian little
havecode true
hdr.csum 0x00000000
linenum true
lsyms true
machine i386
maxopsz 16
minopsz 1
nx false
os windows
overlay false
pcalign 0
pic false
relocs true
signed false
static false
stripped true
subsys Windows CUI
va true
3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
$ rabin2 -K entropy -S Lab01-01.exe
[Sections]
Nm Paddr Size Vaddr Memsz Perms Checksum Name
00 0x00001000 4096 0x00401000 4096 -r-x entropy=4.45086464 .text
01 0x00002000 4096 0x00402000 4096 -r-- entropy=1.13245206 .rdata
02 0x00003000 4096 0x00403000 4096 -rw- entropy=0.43885401 .data
or with r2
$ r2 Lab01-01.exe -- Welcome back, lazy human! [0x00401820]> iSentropy [Sections] Nm Paddr Size Vaddr Memsz Perms Checksum Name 00 0x00001000 4096 0x00401000 4096 -r-x entropy=4.45086464 .text 01 0x00002000 4096 0x00402000 4096 -r-- entropy=1.13245206 .rdata 02 0x00003000 4096 0x00403000 4096 -rw- entropy=0.43885401 .data [0x00401820]>TODO: add entropy graphsentropy
4. Do any imports hint at what this malware does? If so, which imports are they?
Imports for exe file: Imports for dll file: Basing on imports list this dll creates mutex, initializes Windows Sockets system and starts communication with a server. A mutex object is a synchronization object whose state is set to signaled when it is not owned by any thread, and nonsignaled when it is owned. Only one thread at a time can own a mutex object, whose name comes from the fact that it is useful in coordinating mutually exclusive access to a shared resource. For example, to prevent two threads from writing to shared memory at the same time, each thread waits for ownership of a mutex object before executing the code that accesses the memory. After writing to the shared memory, the thread releases the mutex object.
$ rabin2 -i Lab01-01.exe
[Imports]
Num Vaddr Bind Type Name
1 0x00402000 NONE FUNC KERNEL32.dll_CloseHandle
2 0x00402004 NONE FUNC KERNEL32.dll_UnmapViewOfFile
3 0x00402008 NONE FUNC KERNEL32.dll_IsBadReadPtr
4 0x0040200c NONE FUNC KERNEL32.dll_MapViewOfFile
5 0x00402010 NONE FUNC KERNEL32.dll_CreateFileMappingA
6 0x00402014 NONE FUNC KERNEL32.dll_CreateFileA
7 0x00402018 NONE FUNC KERNEL32.dll_FindClose
8 0x0040201c NONE FUNC KERNEL32.dll_FindNextFileA
9 0x00402020 NONE FUNC KERNEL32.dll_FindFirstFileA
10 0x00402024 NONE FUNC KERNEL32.dll_CopyFileA
1 0x0040202c NONE FUNC MSVCRT.dll_malloc
2 0x00402030 NONE FUNC MSVCRT.dll_exit
3 0x00402034 NONE FUNC MSVCRT.dll__exit
4 0x00402038 NONE FUNC MSVCRT.dll__XcptFilter
5 0x0040203c NONE FUNC MSVCRT.dll___p___initenv
6 0x00402040 NONE FUNC MSVCRT.dll___getmainargs
7 0x00402044 NONE FUNC MSVCRT.dll__initterm
8 0x00402048 NONE FUNC MSVCRT.dll___setusermatherr
9 0x0040204c NONE FUNC MSVCRT.dll__adjust_fdiv
10 0x00402050 NONE FUNC MSVCRT.dll___p__commode
11 0x00402054 NONE FUNC MSVCRT.dll___p__fmode
12 0x00402058 NONE FUNC MSVCRT.dll___set_app_type
13 0x0040205c NONE FUNC MSVCRT.dll__except_handler3
14 0x00402060 NONE FUNC MSVCRT.dll__controlfp
15 0x00402064 NONE FUNC MSVCRT.dll__stricmp
Basing on the imports I can assume that this sample opens directory, iterates over files and when found one -- copies it and\or maps it into the memory.
$ rabin2 -i Lab01-01.dll
[Imports]
Num Vaddr Bind Type Name
1 0x10002000 NONE FUNC KERNEL32.dll_Sleep
2 0x10002004 NONE FUNC KERNEL32.dll_CreateProcessA
3 0x10002008 NONE FUNC KERNEL32.dll_CreateMutexA
4 0x1000200c NONE FUNC KERNEL32.dll_OpenMutexA
5 0x10002010 NONE FUNC KERNEL32.dll_CloseHandle
23 0x10002030 NONE FUNC WS2_32.dll_socket
115 0x10002034 NONE FUNC WS2_32.dll_WSAStartup
11 0x10002038 NONE FUNC WS2_32.dll_inet_addr
4 0x1000203c NONE FUNC WS2_32.dll_connect
19 0x10002040 NONE FUNC WS2_32.dll_send
22 0x10002044 NONE FUNC WS2_32.dll_shutdown
16 0x10002048 NONE FUNC WS2_32.dll_recv
3 0x1000204c NONE FUNC WS2_32.dll_closesocket
116 0x10002050 NONE FUNC WS2_32.dll_WSACleanup
9 0x10002054 NONE FUNC WS2_32.dll_htons
1 0x10002018 NONE FUNC MSVCRT.dll__adjust_fdiv
2 0x1000201c NONE FUNC MSVCRT.dll_malloc
3 0x10002020 NONE FUNC MSVCRT.dll__initterm
4 0x10002024 NONE FUNC MSVCRT.dll_free
5 0x10002028 NONE FUNC MSVCRT.dll_strncmp
Mutex Object
Mutex on MSDN
5. Are there any other files or host-based indicators that you could look for on infected systems?
Malware sample (exe) copies dll file into location "C:\Windows\System32\Kerne132.dll".
6. What network-based indicators could be used to find this malware on infected machines?
Communication with ip addr:127.26.152.13 is the indicator.
Verbs are:
hello, exec, sleep,
7. What would you guess is the purpose of these files?
The exe file will load and run dll file, which will communicate with server and execute commands.
Questions:
Answers:
1. VirusTotal signatures.
File name: Lab01-02.exe Score: 41/67 Last analysis: 2018-10-30 01:24:01 UTC Community score: -166 VirusTotal reportDetection results
Name, Result AegisLab, Troj.W32.Gen.lsXA AhnLab-V3, Trojan/Win32.StartPage.C26214 ALYac, Trojan.Startpage.3072 Antiy-AVL, Trojan/Win32.SGeneric Avast, Win32:Malware-gen AVG, Win32:Malware-gen Avira, TR/Downloader.Gen Baidu, Win32.Trojan-Clicker.Agent.ad CAT-QuickHeal, Trojan.Dynamer!ac ClamAV, Win.Malware.Agent-6350563-0 CrowdStrike Falcon, malicious_confidence_100% (W) Cybereason, malicious.cbcb77 Cylance, Unsafe Cyren, W32/Trojan.UCOC-9169 DrWeb, Trojan.Click3.12740 Endgame, malicious (moderate confidence) ESET-NOD32, Win32/TrojanClicker.Agent.NVM Fortinet, W32/Agent.NVM!tr GData, Win32.Trojan.Agent.JV4OJM Ikarus, Trojan.Win32.TrojanClicker Jiangmin, Trojan.Generic.fxlq Kingsoft, Win32.Malware.Heur_Generic.A.(kcloud) MAX, malware (ai score=98) McAfee, Generic.ait McAfee-GW-Edition, Generic.ait Microsoft, Trojan:Win32/Dynamer!ac NANO-Antivirus, Trojan.Win32.RP.cwxtpf Palo Alto Networks, generic.ml Qihoo-360, HEUR/Malware.QVM11.Gen Rising, Trojan.Clicker-Agent!8.13 (CLOUD) Sophos AV, Mal/Generic-S Sophos ML, heuristic Symantec, Trojan.Gen.2 Tencent, Win32.Trojan.Downloader.Dyzr TheHacker, Posible_Worm32 TrendMicro, TROJ_GEN.R002C0CHI18 TrendMicro-HouseCall, TROJ_GEN.R002C0CHI18 VBA32, Trojan.Click Webroot, ??? Yandex, Trojan.CL.Agent!SYJ1YyE/ZV4 Zillya, Trojan.Agent.Win32.549706Below the list of vendors which failed to identify
Ad-Aware, Clean Alibaba, Clean Arcabit, Clean Avast Mobile Security, Clean Babable, Clean BitDefender, Clean Bkav, Clean CMC, Clean eGambit, Clean Emsisoft, Clean eScan, Clean F-Prot, Clean F-Secure, Clean K7AntiVirus, Clean K7GW, Clean Kaspersky, Clean Malwarebytes, Clean Panda, Clean SentinelOne, Clean SUPERAntiSpyware, Clean TACHYON, Clean TotalDefense, Clean Trustlook, Clean ViRobot, Clean ZoneAlarm, Clean Zoner, Clean Symantec Mobile Insight, Unable to process file type
2. Are there any indicatoins thet this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
To answer that question we can look to the entropy level of sections. Let's use rabin2 tool again to calculate entropy:
$ rabin2 -K entropy -S Lab01-02.exe [Sections] Nm Paddr Size Vaddr Memsz Perms Checksum Name 00 0x00000400 0 0x00401000 16384 -rwx entropy=0.00000000 UPX0 01 0x00000400 1536 0x00405000 4096 -rwx entropy=7.06718080 UPX1 02 0x00000a00 512 0x00406000 4096 -rw- entropy=2.79780427 UPX2
As we can see from the ouptut there is section called UPX1 with entropy close to 7, and that's pretty hight: 7/8. We can suppose that this section is packed.
Also the name istelf is worth mentioning, because it points us to UPX packer, so let's unpack that sample.
For this purposes we will need upx tool.
Also, let's look into imports
$ rabin2 -i Lab01-02.exe [Imports] Num Vaddr Bind Type Name 1 0x00406064 NONE FUNC KERNEL32.DLL_LoadLibraryA 2 0x00406068 NONE FUNC KERNEL32.DLL_GetProcAddress 3 0x0040606c NONE FUNC KERNEL32.DLL_VirtualProtect 4 0x00406070 NONE FUNC KERNEL32.DLL_VirtualAlloc 5 0x00406074 NONE FUNC KERNEL32.DLL_VirtualFree 6 0x00406078 NONE FUNC KERNEL32.DLL_ExitProcess 1 0x00406080 NONE FUNC ADVAPI32.dll_CreateServiceA 1 0x00406088 NONE FUNC MSVCRT.dll_exit 1 0x00406090 NONE FUNC WININET.dll_InternetOpenA
Hmm.. Not a lot. Seems that indeed it's packed.
So upx man page says that we can look inside with help of -l flag. Let's do that.
$ upx -l Lab01-02.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
16384 -> 3072 18.75% win32/pe Lab01-02.exe
Let's decompress it with -d flag
$ upx -d Lab01-02.exe -oLab01-02.decompressed.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2017
UPX 3.94 Markus Oberhumer, Laszlo Molnar & John Reiser May 12th 2017
File size Ratio Format Name
-------------------- ------ ----------- -----------
16384 <- 3072 18.75% win32/pe Lab01-02.decompressed.exe
Unpacked 1 file.
Now we can check what we've got:
$ file Lab01-02.decompressed.exe
Lab01-02.decopressed.exe: PE32 executable (console) Intel 80386, for MS Windows
3. Do any imports hint at this program's functionality? If so, which imports are they and what do they tell you?
Let's take this decompressed file and look into the imports
Now import table looks way much more better
$ rabin2 -i Lab01-02.decompressed.exe
[Imports]
Num Vaddr Bind Type Name
1 0x00402010 NONE FUNC KERNEL32.DLL_SystemTimeToFileTime
2 0x00402014 NONE FUNC KERNEL32.DLL_GetModuleFileNameA
3 0x00402018 NONE FUNC KERNEL32.DLL_CreateWaitableTimerA
4 0x0040201c NONE FUNC KERNEL32.DLL_ExitProcess
5 0x00402020 NONE FUNC KERNEL32.DLL_OpenMutexA
6 0x00402024 NONE FUNC KERNEL32.DLL_SetWaitableTimer
7 0x00402028 NONE FUNC KERNEL32.DLL_WaitForSingleObject
8 0x0040202c NONE FUNC KERNEL32.DLL_CreateMutexA
9 0x00402030 NONE FUNC KERNEL32.DLL_CreateThread
1 0x00402000 NONE FUNC ADVAPI32.dll_CreateServiceA
2 0x00402004 NONE FUNC ADVAPI32.dll_StartServiceCtrlDispatcherA
3 0x00402008 NONE FUNC ADVAPI32.dll_OpenSCManagerA
1 0x00402038 NONE FUNC MSVCRT.dll__exit
2 0x0040203c NONE FUNC MSVCRT.dll__XcptFilter
3 0x00402040 NONE FUNC MSVCRT.dll_exit
4 0x00402044 NONE FUNC MSVCRT.dll___p___initenv
5 0x00402048 NONE FUNC MSVCRT.dll___getmainargs
6 0x0040204c NONE FUNC MSVCRT.dll__initterm
7 0x00402050 NONE FUNC MSVCRT.dll___setusermatherr
8 0x00402054 NONE FUNC MSVCRT.dll__adjust_fdiv
9 0x00402058 NONE FUNC MSVCRT.dll___p__commode
10 0x0040205c NONE FUNC MSVCRT.dll___p__fmode
11 0x00402060 NONE FUNC MSVCRT.dll___set_app_type
12 0x00402064 NONE FUNC MSVCRT.dll__except_handler3
13 0x00402068 NONE FUNC MSVCRT.dll__controlfp
1 0x00402070 NONE FUNC WININET.dll_InternetOpenUrlA
2 0x00402074 NONE FUNC WININET.dll_InternetOpenA
From the imports table we can see that malware uses CreateService, for creating windows service, CreateMutex for, surprisingly, creating a mutex to check if malware already was run, and InternetOpenUrl for opening new connection with remote server.
4. What host- or network-based indicators could be used to identify this malware on infected machines?
Questions:
Answers:
1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
File name: Lab01-03.exe Score: 54/67 Last analysis: 2018-10-31 18:37:40 UTC Community score: -182 VirusTotal reportDetection results
Name, Result 0 Ad-Aware, Packer.FSG.A 1 AegisLab, Trojan.Win32.Generic.4!c 2 ALYac, Packer.FSG.A 3 Antiy-AVL, Trojan/Win32.SGeneric 4 Arcabit, Packer.FSG.A 5 Avast, Win32:Malware-gen 6 AVG, Win32:Malware-gen 7 Avira, TR/Emoneg.4752 8 Baidu, Win32.Trojan-Clicker.Agent.z 9 BitDefender, Packer.FSG.A 10 CAT-QuickHeal, Trojan.Dynamer 11 CrowdStrike Falcon, malicious_confidence_100% (W) 12 Cybereason, malicious.94c28e 13 Cylance, Unsafe 14 Cyren, W32/SuspPack.DH.gen!Eldorado 15 DrWeb, Trojan.Click2.16518 16 Emsisoft, Packer.FSG.A (B) 17 Endgame, malicious (high confidence) 18 eScan, Packer.FSG.A 19 ESET-NOD32, Win32/TrojanClicker.Agent.NVN 20 F-Prot, W32/SuspPack.DH.gen!Eldorado 21 F-Secure, Packer.FSG.A 22 Fortinet, W32/Malware_fam.NB 23 GData, Packer.FSG.A 24 Ikarus, Trojan.Win32.Genome 25 Jiangmin, Trojan/Genome.bmbp 26 K7AntiVirus, Spyware ( 004ce65c1 ) 27 K7GW, Spyware ( 004ce65c1 ) 28 Kaspersky, Trojan.Win32.Agentb.bquu 29 Kingsoft, Win32.Troj.Genome.(kcloud) 30 Malwarebytes, Trojan.Agent.MWL 31 MAX, malware (ai score=100) 32 McAfee, RDN/Generic.dx!dfj 33 McAfee-GW-Edition, BehavesLike.Win32.Generic.xz 34 Microsoft, Trojan:Win32/Dynamer!ac 35 NANO-Antivirus, Trojan.Win32.Inor.getjo 36 Palo Alto Networks, generic.ml 37 Qihoo-360, Malware.Radar01.Gen 38 Rising, Trojan.Proxy.Win32.Small.gs (CLASSIC) 39 SentinelOne, static engine - malicious 40 Sophos AV, Mal/Packer 41 Sophos ML, heuristic 42 Symantec, Trojan.Gen.2 43 TACHYON, Trojan/W32.Small.4752.C 44 Tencent, Win32.Trojan.Agentb.Huzk 45 TheHacker, Trojan/Genome.ssrc 46 TrendMicro, TROJ_SPNR.30E214 47 TrendMicro-HouseCall, TROJ_SPNR.30E214 48 VBA32, Trojan.Tiggre 49 VIPRE, Trojan.Win32.Generic!BT 50 Webroot, W32.Genome.Ssrc 51 Yandex, Trojan.Genome!qjszR3auxbA 52 Zillya, Trojan.Genome.Win32.112441 53 ZoneAlarm, Trojan.Win32.Agentb.bquuBelow the list of vendors which failed to identify
54 AhnLab-V3, Clean 55 Alibaba, Clean 56 Avast Mobile Security, Clean 57 Babable, Clean 58 Bkav, Clean 59 ClamAV, Clean 60 CMC, Clean 61 eGambit, Clean 62 Panda, Clean 63 SUPERAntiSpyware, Clean 64 Trustlook, Clean 65 ViRobot, Clean 66 Zoner, Clean 67 Symantec Mobile Insight, Unable to process file type
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
$ rabin2 -v
rabin2 3.1.0-git 73 @ linux-x86-64 git.3.1.0-git
commit: 99641414fd9c936e8c082008317072e5fdbbc35c build: 2018-11-12__15:05:07
Here are the imports:
$ rabin2 -s Lab01-03.exe
[Symbols]
Num Paddr Vaddr Bind Type Size Name
001 0x00000f28 0x00405128 NONE FUNC 0 imp.KERNEL32.dll_LoadLibraryA
002 0x00000f2c 0x0040512c NONE FUNC 0 imp.KERNEL32.dll_GetProcAddress
And sections:
$ rabin2 -S Lab01-03.exe
[Sections]
Nm Paddr Size Vaddr Memsz Perms Name
00 0x00000000 0 0x00401000 12288 -rw- sect_0
01 0x00001000 652 0x00404000 4096 -rw- sect_1
02 0x00000e00 512 0x00405000 4096 -rw- sect_2
As we can see the sample imports only 2 functions: LoadLibrary and GetProcAddress -- too little for regular executable, so probably packed.
$ yara packer.yar Lab01-03.exe
packer.yar(9872): warning: $a0 is slowing down scanning
packer.yar(15986): warning: $a0 is slowing down scanning
FSGv10 Lab01-03.exe
FSGv100Engdulekxt Lab01-03.exe
FSGv110Engdulekxt Lab01-03.exe
As a result we can see that indeed this sample is packed with FSG packer.3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
4. What host- or network-based indicators could be used to identify this malware on infected machines?
Questions:
Answers:
1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
File name: Lab01-04.exe Score: 51/65 Last analysis: 2018-10-20 22:36:45 UTC Community score: -173 VirusTotal reportDetection results
Name, Result 0 Ad-Aware, Gen:Trojan.Heur.RP.cqW@aqIk5pji 1 AegisLab, Trojan.Win32.Generic.4!c 2 Antiy-AVL, Trojan[Downloader]/Win32.Unknown 3 Arcabit, Trojan.Heur.RP.E9A4ED 4 Avast, Win32:Malware-gen 5 AVG, Win32:Malware-gen 6 Avira, TR/Dropper.Gen 7 BitDefender, Gen:Trojan.Heur.RP.cqW@aqIk5pji 8 Bkav, W32.eHeur.Malware01 9 CAT-QuickHeal, TrojanDownloader.Small 10 ClamAV, Win.Trojan.Agent-375080 11 CrowdStrike Falcon, malicious_confidence_100% (W) 12 Cybereason, malicious.fd47ad 13 Cylance, Unsafe 14 Cyren, W32/GenBl.625AC05F!Olympus 15 DrWeb, Trojan.DownLoader5.60705 16 Emsisoft, Gen:Trojan.Heur.RP.cqW@aqIk5pji (B) 17 Endgame, malicious (high confidence) 18 eScan, Gen:Trojan.Heur.RP.cqW@aqIk5pji 19 F-Prot, W32/Heuristic-217!Eldorado 20 F-Secure, Gen:Trojan.Heur.RP.cqW@aqIk5pji 21 Fortinet, W32/Generic.AC.345C6F!tr 22 GData, Gen:Trojan.Heur.RP.cqW@aqIk5pji 23 Ikarus, Backdoor.Win32.SuspectCRC 24 Jiangmin, Trojan/Invader.cph 25 K7AntiVirus, Trojan-Downloader ( 000074d71 ) 26 K7GW, Trojan-Downloader ( 000074d71 ) 27 Kaspersky, HEUR:Trojan-Downloader.Win32.Generic 28 Kingsoft, Win32.Troj.Undef.(kcloud) 29 MAX, malware (ai score=100) 30 McAfee, GenericRXEW-DZ!625AC05FD47A 31 McAfee-GW-Edition, BehavesLike.Win32.Downloader.nz 32 Microsoft, TrojanDownloader:Win32/Small 33 NANO-Antivirus, Trojan.Win32.Kazy.cwxmfl 34 Palo Alto Networks, generic.ml 35 Qihoo-360, Win32/Trojan.67a 36 Rising, Downloader.Small!8.B41 (CLOUD) 37 SentinelOne, static engine - malicious 38 Sophos AV, Mal/DownLdr-AC 39 Sophos ML, heuristic 40 SUPERAntiSpyware, Trojan.Agent/Gen-Downloader 41 Symantec, Downloader 42 Tencent, Win32.Trojan-downloader.Generic.Wmja 43 TheHacker, Trojan/Downloader.small 44 TrendMicro, Mal_DLDER 45 VBA32, suspected of Trojan.Downloader.gen.h 46 ViRobot, Trojan.Win32.Z.Small.36864.AB 47 Webroot, W32.Trojan.Gen 48 Yandex, Trojan.DL.Small!io4/0V8aERQ 49 Zillya, Downloader.Small.Win32.47818 50 ZoneAlarm, HEUR:Trojan.Win32.GenericBelow the list of vendors which failed to identify
51 AhnLab-V3, Clean 52 Alibaba, Clean 53 ALYac, Clean 54 Avast Mobile Security, Clean 55 Babable, Clean 56 Baidu, Clean 57 CMC, Clean 58 ESET-NOD32, Clean 59 Malwarebytes, Clean 60 Panda, Clean 61 TACHYON, Clean 62 TrendMicro-HouseCall, Clean 63 Trustlook, Clean 64 Zoner, Clean 65 Symantec Mobile Insight, Unable to process file type
Almost all antiviruses detects that file as malisious (~78% detection rate)
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Let's update radare
$ r2 -v
radare2 3.1.0-git 172 @ linux-x86-64 git.3.1.0-git
commit: 507b1e1ca1b3e71ed4640b583e5a10b3b09ec858 build: 2018-11-20__12:14:49
And look into imports and sections:
$ rabin2 -s Lab01-04.exe
[Symbols]
Num Paddr Vaddr Bind Type Size Name
001 0x00002010 0x00402010 NONE FUNC 0 imp.KERNEL32.dll_GetProcAddress
002 0x00002014 0x00402014 NONE FUNC 0 imp.KERNEL32.dll_LoadLibraryA
003 0x00002018 0x00402018 NONE FUNC 0 imp.KERNEL32.dll_WinExec
004 0x0000201c 0x0040201c NONE FUNC 0 imp.KERNEL32.dll_WriteFile
005 0x00002020 0x00402020 NONE FUNC 0 imp.KERNEL32.dll_CreateFileA
006 0x00002024 0x00402024 NONE FUNC 0 imp.KERNEL32.dll_SizeofResource
007 0x00002028 0x00402028 NONE FUNC 0 imp.KERNEL32.dll_CreateRemoteThread
008 0x0000202c 0x0040202c NONE FUNC 0 imp.KERNEL32.dll_FindResourceA
009 0x00002030 0x00402030 NONE FUNC 0 imp.KERNEL32.dll_GetModuleHandleA
010 0x00002034 0x00402034 NONE FUNC 0 imp.KERNEL32.dll_GetWindowsDirectoryA
011 0x00002038 0x00402038 NONE FUNC 0 imp.KERNEL32.dll_MoveFileA
012 0x0000203c 0x0040203c NONE FUNC 0 imp.KERNEL32.dll_GetTempPathA
013 0x00002040 0x00402040 NONE FUNC 0 imp.KERNEL32.dll_GetCurrentProcess
014 0x00002044 0x00402044 NONE FUNC 0 imp.KERNEL32.dll_OpenProcess
015 0x00002048 0x00402048 NONE FUNC 0 imp.KERNEL32.dll_CloseHandle
016 0x0000204c 0x0040204c NONE FUNC 0 imp.KERNEL32.dll_LoadResource
001 0x00002000 0x00402000 NONE FUNC 0 imp.ADVAPI32.dll_OpenProcessToken
002 0x00002004 0x00402004 NONE FUNC 0 imp.ADVAPI32.dll_LookupPrivilegeValueA
003 0x00002008 0x00402008 NONE FUNC 0 imp.ADVAPI32.dll_AdjustTokenPrivileges
001 0x00002054 0x00402054 NONE FUNC 0 imp.MSVCRT.dll__snprintf
002 0x00002058 0x00402058 NONE FUNC 0 imp.MSVCRT.dll__exit
003 0x0000205c 0x0040205c NONE FUNC 0 imp.MSVCRT.dll__XcptFilter
004 0x00002060 0x00402060 NONE FUNC 0 imp.MSVCRT.dll_exit
005 0x00002064 0x00402064 NONE FUNC 0 imp.MSVCRT.dll___p___initenv
006 0x00002068 0x00402068 NONE FUNC 0 imp.MSVCRT.dll___getmainargs
007 0x0000206c 0x0040206c NONE FUNC 0 imp.MSVCRT.dll__initterm
008 0x00002070 0x00402070 NONE FUNC 0 imp.MSVCRT.dll___setusermatherr
009 0x00002074 0x00402074 NONE FUNC 0 imp.MSVCRT.dll__adjust_fdiv
010 0x00002078 0x00402078 NONE FUNC 0 imp.MSVCRT.dll___p__commode
011 0x0000207c 0x0040207c NONE FUNC 0 imp.MSVCRT.dll___p__fmode
012 0x00002080 0x00402080 NONE FUNC 0 imp.MSVCRT.dll___set_app_type
013 0x00002084 0x00402084 NONE FUNC 0 imp.MSVCRT.dll__except_handler3
014 0x00002088 0x00402088 NONE FUNC 0 imp.MSVCRT.dll__controlfp
015 0x0000208c 0x0040208c NONE FUNC 0 imp.MSVCRT.dll__stricmp
$ rabin2 -S Lab01-04.exe
[Sections]
Nm Paddr Size Vaddr Memsz Perms Name
00 0x00001000 4096 0x00401000 4096 -r-x .text
01 0x00002000 4096 0x00402000 4096 -r-- .rdata
02 0x00003000 4096 0x00403000 4096 -rw- .data
03 0x00004000 20480 0x00404000 20480 -r-- .rsrc
Deriving from that we can say that sample is not packed or obfuscated
3. When was this program compiled?
$ rabin2 -I Lab01-04.exe | ag compiled
compiled Sat Aug 31 01:26:59 2019
here ag is a great tool called Silver Searcher.
4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Here is the list of interesting functions:
GetProcAddress
LoadLibraryA
WinExec
WriteFile
CreateFileA
CreateRemoteThread
FindResourceA
GetModuleHandleA
GetWindowsDirectoryA
MoveFileA
GetCurrentProcess
OpenProcess
LoadResource
OpenProcessToken
So we can assume that this malware injects code into remote process, works with files in WindowsDirectory (rw), and also has capability to launch new processess wia WinExec.
5. What host- or network-based indicators could be used to identify this malware on infected machines?
6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?
The resource is PE executable file. Exactly that file contains string http://www.practicalmalwareanalysis.com/updater.exe
The hash is: bb1252dab9f573d7517083925db5fc6d8496afb56928cc848ad108c27542c448
Thanks to HK from MR group for motivation!