Practical Malware Analysis — Chapter 6 Labs

Practical Malware Analysis is a book introducing fundamental and advance analysis of malware both statically and dynamically. Today, we work through the Practical Malware Analysis exercises in Chapter 6 — Recognising C Code Constructs in Assembly Language. This chapter if you haven’t guessed is for helping understand what is going on within functions, subroutines, etc. in Assembly Language.

You can download the labs here.

Lab 6–1

In this lab, you will analyze the malware found in the file Lab06–01.exe.

Firstly, let’s do a quick analysis of this executable using basic techniques.

If we use PE Explorer, we can see two DLLs in the Import Viewer, WININET.dll and KERNEL32.dll. One function of particular interest is ‘InternetGetConnectedState’.

Still using PE Explorer, viewing in the disassembly mode, we can view some of the key strings (note, running strings.exe is probably a better approach):

This gives an indication the executable uses heap capabilities. From an initial guess, I reckon the executable checks if there is an internet connection.

However, if we run ApateDNS, no DNS requests are detected from this malware…

Questions:

1. What is the major code construct found in the only subroutine called by main?

Let’s open IDA Pro. Firstly, if you’re running this in Windows 10, then the sub routine will not show as ‘main’. It’s clear however that the main function is the first subroutine, sub_401000.

InternetGetConnectedState retrieves the connected state of the local system. This is accompanied by an LDPWORD ‘lpdwFlags’ (pointer to a variable that receives the connection description) and DWORD ‘dwReserved’ (reserved parameter which must be 0).

Following the C structure, we see that this has an if statement, because of the conditional jump jz to loc_40102B else to sub_40105F (connection successful).

This is further confirmed in graphical view, where you can see both outcomes still end with the loc_40103A process return. In a nutshell, this checks for an internet connection and returns the result to main.

2. What is the subroutine located at 0x40105F?

This sub is called in both outcomes of the if statement in the main function.

The executable likely prints the result following the check of InternetGetConnectionState — C language uses the printf function.

3. What is the purpose of this program?

The purpose is to simply check the internet connection of the endpoint it is running on and printf the status.

Lab 6–2

Analyze the malware found in the file Lab06–02.exe.

Dependency Walker shows that there are two DLL imports; KERNEL32.DLL and WININET.DLL. WININET not mentioned beforehand, is a module containing different internet functions, used to share functions for various applications. As we can see in the image below the following functions are shown:

We get that same ‘InternetGetConnectedState’ again. This time also initiating WININET functions (InternetOpenA) to an application and opening a resource specified by an FTP or HTTP URL (InternetOpenUrlA), followed by reading data from the handle (InternetReadFile).

Using the strings.exe function now, we can analyse the associated strings with this executable.

The strings results, indicates that they make use of the heap, multithreading and console capabilities. Console implementation is possible here to an adversary’s device, since WININET.dll we know is a module for internet functions.

Other functions listed outside of this image are:

  • GetEnvironmentStrings
  • GetFileType
  • WriteFile
  • Error
  • Error 1.1: No Internet
  • Success: Internet Connection
  • Error 2.3: Fail to get command
  • Error 2.2: Fail to ReadFile
  • Error 2.1: Fail to OpenUrl
  • http://www.practicalmalwareanalysis.com/cc.htm
  • Internet Explorer 7.5/pma
  • Success: Parsed command is %c

If one didn’t know any better, they’d guess the executable checks the internet connection (similar to Lab 6–1), send a DNS request to the URL listed above, using HTTP Internet Explorer User-Agent to read and download a file on that URL from parsing some specific text from that page.

Furthermore, if we run the executable, it prints out ‘Success: Internet Connection’ — indicating there that same printf function, similar to what was seen in Lab 6–1.

DNS requests have been detected using ApateDNS to www.praticalmalwareanalysis.com:

Questions:

  1. What operation does the first subroutine called by main perform?

Looking at the Main subroutine at Memory Address 00401000, we see the function follows the same logic as Lab 6–1.

Checking the computer is connected to the Internet using ‘internetGetConnectedState’ function.

2. What is the subroutine located at 0x40117F?

Looking at 0x40117F, we can quickly see this is the same as the Printf function in Lab 6–1:

3. What does the second subroutine called by main do?

The second subroutine called by main is at Memory Address 00401040. This is effectively an array using the InternetOpenAand InternetOpenURLA functions as seen before to http://www.practicalmalwareanalysis.com/htm using the Internet Explorer 7.5/pma user agent.

This has a conditional jump using the jnz function jumping to subroutine loc_40109D if the URL was successfully open. Looking at this function (see below) we can see a call to the InternetReadFIle function used to download resources from HINTERNET handle returned by the InternetOpenURL function.

If the file is successfully read, then then the first 200h or 0x200 bytes (NumberOfBytesToRead) are read using the InterNetReadFile call. This is then compared after being saved into EAX with 0 using JNZ which will then jump to subroutine 4010E5 if buffer was read successfully.

4. What type of code construct is used in this subroutine?

The URL http://www.practicalmalwareanalysis.com/cc.htm found uses the common abbreviation of HTML, htm which is used by earlier operating systems and file systems, such as DOS and the limitations imposed by FAT data structure, limited file extensions to three letters.

We can further determine this by the code construct within the Array.

Converting the values to text provides ‘<! — ‘ finding what is contained in subroutine 0x401115.

5. Are there any network-based indicators for this program?

Two network-based indicators were found:

6. What is the purpose of this malware?

We see that if subroutine 401040 reads the HTML comment and returns true to main, subroutine 40115C will execute and print “Success: Parsed comman is %c\n”, meaning that the HTML comment that was read will be passed as a command. Once successfully parsed, it will sleep for 0EA60h or 60 seconds.

This executable checks the host has an internet connection. If an Internet connection is present, the program will open a handle to the website http://practicalmalwareanalysis.com/cc.htm and read a comment, that will be parsed as a command to the program. If this comment is parsed successfully, then the program will sleep for a minute.

Lab 6–3

In this lab, we’ll analyze the malware found in the file Lab06–03.exe

Using PE Explorer, we can have a look at the section headers, where we see the size of the Virtual and Raw Size are similar so this executable is not packed.

Looking at the Import Viewer (still in PE Explorer), we can see there are three Imported DLLs:

KERNEL32.DLL and WININET.DLL were seen in the previous labs, however ADVAPI32.DLL was not seen. ADVAPI32.DLL is the Advanced API services library which is a utility that is designed to support APIs including registry and security calls. These are responsible for restarting and shutting down the system, Windows registry, managing user accounts and starting and stopping and creating Windows Services. The two functions are for the following:

  • RegSetValueExA — Sets the data and type of a specified value under a registry key
  • RegOpenKeyExA — Opens the specified registry key

Using Strings.exe, we immediately see the following string:

This is an indication the program is a portable executable. Further analysis we see similar strings to Lab 6–2, with heap and multithread capabilities:

Looking further down, we see the commands that match to the registry functions observed beforehand:

It seems parsing is done again and the use of an executable ‘cc.exe’. run in the ‘C:\Temp’ directory. We also see the registry key ‘Software\Microsoft\Windows\CurrentVersion\Run’.

Other interesting strings of interest found included (but not limited to):

  • Sleep
  • DeleteFileA
  • CopyFileA
  • CreateDirectoryA
  • InternetGetConnectedState

Running the malware, we unfortunately see no results using Process Hacker or Regshot relating to our previous finds.

Using FakeNet, we can see that there are HTTP requests to IP 192.0.2.123 from the domain www.practicalmalwareanalysis.com.

This behaviour is very similar to what we saw with Lab 6–2.

Questions

1. Compare the calls in main to Lab 6–2’s main method. What is the new function called from main?

Looking at the Main function in IDA Pro, we can see that this follows the same ‘if’ logic as Lab 6–2, calling the ‘InternetGetConnectedState’ function.

This follows the same logic up until the new Subroutine sub_401130. This uses the CopyFileA function, which was determined by the ‘lpExistingFileName’ parameter (see below image).

We can see this function follows a switch statement, once the filename has been read:

These are easier to be read in text mode, but in summary all functions jump to Loc_4011EE after the following:

  • Loc_40115A — Calls CreateDirectoryA with path C:\\
  • Loc_40116C — Calls CopyFileA for C:\\Temp\\cc.exe
  • Loc_40117F — Calls DeleteFileA
  • Loc_40118C — Calls RegOpenKeyExA for using the Software\Microsoft\Windows\CurrentVersion\Run directory and setting the ValueName as ‘Malware’ using RegSetValueExA call to store the data in C:\\Temp\\cc.exe
  • Loc_4011D4 — Calls Sleep which is performed for 186A0h or 100 seconds in decimal

The malware seems to be setting a registry value which runs the malware each time the computer starts up, a persistence mechanism. Once the registry key is installed, this malware will activate.

Following on from this, we see the lpExistingFileName being called at loc_40123C, after the successful Parsing Command message:

Here we can see the call for Sleep function is used for 60 seconds. Furthermore the Printf function is seen below at sub_401271:

2. What parameters does this new function take?

The function sub_401130, takes two parameters; the lpExistingFileName and arg_0.

3. What major code construct does this function contain?

As mentioned before, we observed a switch statement with a jump table.

4. What can this function do?

As mentioned before:

  • Loc_40115A — Calls CreateDirectoryA with path C:\\
  • Loc_40116C — Calls CopyFileA for C:\\Temp\\cc.exe
  • Loc_40117F — Calls DeleteFileA
  • Loc_40118C — Calls RegOpenKeyExA for using the Software\Microsoft\Windows\CurrentVersion\Run directory and setting the ValueName as ‘Malware’ using RegSetValueExA call to store the data in C:\\Temp\\cc.exe
  • Loc_4011D4 — Calls Sleep which is performed for 186A0h or 100 seconds in decimal

5. Are there any host-based indicators for this malware?

  • The registry key Software\Microsoft\Windows\CurrentVersion\Run\
  • The program cc.exe located in C:\\Temp

6. What is the purpose of this malware?

To check for an internet connection and download a command. The malware will then parse this command, and if its running for the first time it will create and set a registry key, which then is re-run on start-up. This malware allows the owner to create or delete files, and create directories.

LAB 6–4

In this lab, we’ll analyze the malware found in the file Lab06–04.exe.

Using Dependency Walker, we see the same imports being used as Lab 6–3; KERNEL32.DLL, WININET.DLL, ADVAPI32.DLL:

We can also see in PE Explorer that the Virtual Size and Raw Size are similar, confirming this executable is not packed:

Opening up now Strings.exe, we see the same strings again for heap and multithread capabilities.

Strings of particular interest are shown below:

Here we see similar indicator from Lab 6–3 but this time the user agent is over HTTP Internet Explorer 7.5/pma%d instead of ‘pma.

We also see strings such as:

  • Sleep
  • DeleteFileA
  • CopyFileA
  • CreateDirectoryA
  • InternetGetConnectedState
  • RegSetValueExA
  • RegOpenKeyExA
  • WriteFile

When running the malware, we also see a DNS request using ApateDNS:

Using FakeNet, we also see a request to www.practicalmalwareanalysis.com over port HTTP with header GET /cc.htm, using the User-Agent found on strings.

Questions

1. What is the difference between the calls made from the main method in Labs 6–3 and 6–4?

Looking at the main function, we can immediately see that lab 6–4 calls sub_4012B5 which is the printf function whereas lab 6–3 calls sub_401271.

Looking at the Parsing commands and comparing this to Lab 6–3, we can see that a for loop is being performed in Lab 6–4. The var_C is looking for a for loop code construct. If it is greater than or equal to 0x5A0 (1440), the loop will end. Otherwise, loc_401281 will execute. The process repeats for 1440 minutes, which is 24 hours.

We can also see differences in the sub process performing the HTTP request and reading of the file — sub_401040.

Here we can see that arg_0 is a new global variable compared with Lab 6–3. Arg_0 is pushed on the stack along with a string “Internet Explorer 7.5/pma%d” and a destination. We also see that sub_4012E6 is called which creates the string and stores it in the destination buffer, szAgent. This is then passed onto InternetOpenA. This means each time the function is called, the User-Agent will change.

2. What new code construct has been added to main?

As seen above, this is the for loop.

3. What is the difference between this lab’s parse HTML function and those of the previous labs?

The function sub_401040 takes the parameter and calls sub_4012E6 with ‘Internet Explorer 7.50/pma%d’, where ‘d’ is number of minutes running.

4. How long will this program run? (Assume that it is connected to the Internet.)

1440 minutes (24 hours).

5. Are there any new network-based indicators for this malware?

  • Internet Explorer 7.50/pma%d — New User-Agent

6. What is the purpose of this malware?

The program checks for an internet connection. If there’s a connection present, the program will use the User-Agent (which is unique each time) to attempt to download a web page which monitors the number of minutes the program has run. This is otherwise similar to Lab 6–3, except the program will run for 24 hours before terminating.

And that wraps this up. As always, stay safe!

--

--

Digital Forensics, Incident Response and Threat Hunting things.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store