Seeping through cracks in Security

BLOG

Security & Reverse Engineering

Practical Malware Analysis - Lab 11-1

Lab 11 Set up:

While the executables in Practical Malware Analysis are considered safe, best practice will be used for the environment. This means the virtual machines will be ran without a network connection. The malware used in this lab can be found here: https://practicalmalwareanalysis.com/labs/

Virtual Machine Specifications:

  • Windows XP Service Pack 3 (32 Bit) - Ran windows updates
  • 20 GB HDD
  • 2GB Ram

Malware Analyzed

  • Lab 11 - 1: Lab11-01.exe

The labs in Practical Malware Analysis were developed for study on Windows XP. All analysis will be performed on the lab VM.


Lab 11-1

Checking for Obfuscation

Loading the executeable into PEiD, it was found to not be packed. This means there was not attempts to obfuscate the strings / code within the program as seen in the image to the right.

This means the next step would be to run Strings to see what can be learned about the program.

 
 PEiD Results (Not Packed)

PEiD Results (Not Packed)


Strings Analysis

As seen below in the screenshots Strings 1-3, Strings was run on Lab11-1.exe. Looking at the results of the scan, it was seen that several interesting strings were included in the executable that may hint at its functions.

In Strings 1, it can be seen that there are strings relating to the manipulation of processes and libraries. This includes: ExitProcess, GetProcAddress, GetSystemDirectory, GetModuleFileNamew, among others.

Also, strings relating to possible registry usage were found. RegCloseKey, RegSetValueExW, RegCreateKeyW show that it is possible the malware will change registry values.

Strings 2 shows more strings relating to possible credential manipulation. There are a long list of Wlx* functions that support this.

Strings 3, as well as seen in the other two screen shots, contains more Wlx functions and GinaDLL. In the book, it was mentioned that the GINA (Graphical Identification and Authentication Interception) is a commonly abused technique malware uses to intercept user credentials (p. 235).

Overall, based on the strings found in the executable, it is likely we're dealing with malware that will seek to steal the users credentials.

 


IDA Analysis

After opening the executable in IDA Pro, the strings found in the previous section were further analyzed. Two functions are immediately recognized in the "Main" subroutine as seen in the images to the right. It was also seen that "msgina.dll" is used as its offset is loaded to the register.
 

 

Persistence

As seen in Persistence, the function "RegSetValueExA" is used after pushing data relating to GinaDLL. This appears to be setting up a registry value to ensure that the GinaDLL is running. The subroutine pushed the hKey value to the registry using the RegSetValueExA then compares that the persistence is set.

Saving Data

Again looking at the main function, right after "GetHandleNameA" is called, sub-routine 401080 is called and following this deeper resulted in more strings and function being found to hint at what the malware is doing.

As seen in Subroutine Part 1 to the left, the subroutine begins to set variables and appears to seek information about the resource. The function "FindResourceA" is called as seen in Subroutine Part 1.

In Subroutine Part 2, it can be see that after the resource is found, it becomes loaded and then locked using "LoadResourceA" and "LockResourceA". Space is then allocated using "VirtualAlloc".

Finally, seen in Subroutine Part 3, data is moved and the offset of msgina2.dll is pushed. Then a call to "_fopen" is made before it appears data on the File and Size are pushed. The function "_fwrite" is called then after more data is processes, "_fclose" is called.

Overall, it appears the malware is gathering some information before writing a file. This file is saved as "msgina32.dll", which further supports the suspicion of the strings ran previously that the malware is likely a Gina listener. This msgina32.dll likely consists of mostly the legitimate "msgina.dll", however modified for malicious purpose.


Dynamic Analysis

New File

After running the Lab11-1.exe, a new file "msgina32.dll" was created in the same folder as the lab examples. This was expected after the static analysis. Remember, msgina32.dll is not legitimate while msgina.dll is.

ProcessMonitor.JPG

IDA Analysis of "MSgina32.dll"

When opening msgina32.dll in IDA Pro and looking through the functions and strings, a string formatting was found as seen in "dll Analysis 1". It shows that a string is being written and formatted. The variable name of "aUnSDmSPWOlds" Hints at it being an old password. This is then pushed to Subroutine 10001570.

Looking at dll Analysis 2, it is seen that subroutine 10001570 is opening a file "msutil32.sys" and then writing the strings to it. The strings "_wstrttime" and "_wstrdate" hint that the date and time are being recorded. Finally, the string is copied using the "_printf" function and the file is saved.

Overall, from this its is gathered that the malware is recording the user's credentials and saving them to a file. 

 

Registry Changes

Using RegShot, at total of 96 registry changes were made once Lab11-1.exe was ran. Of these, one of the most notable was found while running Process Monitor during the running of the malware and then filtering for "Lab11-1.exe"

As seen below, Lab11-1.exe opened and changed the registry keys to ensure that the msgina.dll that it created will run on start up when Winlogon is run.

ProcessMonitor.JPG

On Restart

Since it was seen that the file should be persistent after a restart, the machine was restarted and checked to see if the malware was running in the background or if any logging was taking place.

When restarting the machine however, the malware did not log a file "msutil32.sys". At the time of writing, it is not known why the malware didn't work as intended. Running the malware as system admin was attempted.


Lab 11-1 Conclusion

In summary, the malware Lab11-1.exe resulted in the creation of a file "msgina32.dll" as well as made changes to the registry to ensure that the dll file would run on start up of the machine.

The dll was disguised as a legitimate windows Gina Listener and used the legitimate version of msgina.dll's functions to write the user's login credentials to a file disguised as a windows driver.

When a user logs out of the system, the credentials are logged to the file.


PMALogo

Chapter 11 Lab

Practical Malware Analysis

Guiding Questions

The following questions from the text were used to guide the malware analysis as well as to provide some context clues as to where to start.

Lab 11-1

  1. What does the malware drop to disk?
  2. How does the malware achieve persistence?
  3. How does the malware steal user credentials?
  4. What does the malware do with stolen credentials?
  5. How can you use this malware to get user credentials from your test environment?