Seeping through cracks in Security

BLOG

Security & Reverse Engineering

Practical Malware Analysis - Lab 12 - 1

Lab 12-1 Setup:


While the executables in Practical Malware Analysis are considered safe, best practice will be used for the environment. This means the virtual machines will be ran without a network connection. The malware used in this lab can be found here: https://practicalmalwareanalysis.com/labs/

Virtual Machine Specifications:

  • Windows XP Service Pack 3 (32 Bit) - Ran windows updates
  • 20 GB HDD
  • 2GB Ram

Malware Analyzed

  • Lab12-01.exe
  • Lab12-01.dll

The labs in Practical Malware Analysis were developed for study on Windows XP. All analysis will be performed on the lab VM

PMAImage.jpg

Basic Static Analysis


PEiD Analysis

Output of PEiD on Lab12-01.exe

Running the executable file through PEiD shows that the Entropy was a 4.34. The output of the program can be seen in the image to the right.

The scan also showed that the file was likely not packed. This allows it to be assumed that the malware is not encoded or obfuscated in anyway and that a strings analysis would be a suitable next step.

 

Strings Analysis

Since there is both Lab12-01.dll & and Lab12-01.exe, it can be assumed that the .exe file will manipulate the system files to either swap or call the .dll. It is likely some form of DLL Injection is possible. The results of strings strings output for Lab12-01.exe and Lab12-01.dll can be seen by clicking the images below.

Strings analysis of Lab12-01.exe

Looking through the output of running strings64.exe on Lab12-01.exe yields some clues as to what may happen when the malware is run. The presence of strings CreateRemoteThread, OpenProcess, LoadLibraryA, VirtualAllocEx, and WriteProcessMemory (As seen in Lab12-01.exe Part 1 & 2) hint that DLL injection is likely. These functions are commonly used by malware to inject a malicious DLL file into a legitimate host.

Looking for what other clues strings may provide brings attention to a few .DLL files found in the output. Included are kernel32.dll, Lab12-01.dll, psapi.dll, user32.dll, and KERNEL32.dll. Since Lab12-01.dll is seen, odds are the Lab12.01.exe will call this .dll and inject it into a legitimate program or disguise / replace it with another one in seen in the strings output. KERNEL32.dll and kernel32.dll are both seen, as well as psapi.dll.

Doing a bit of research shows that psapi.dll is an api used for obtaining more information about processes and drivers. More information can be found on Microsoft's website.

Finally, the string explorer.exe can be seen. This could be a hint at which process is going to be targeted since the previous strings hint at the use of process injection. Overall, it is likely based on the strings that Lab12-01.dll will be injected into explorer.exe.

Strings analysis of Lab12-01.dll

Focusing on the strings found in Lab12-01.dll, date and time functions and strings are present. This could hint at the use of a schedule or saved event. Sleep is also found hinting at the possibilities of looped functions. Functions within the .dll also include several functions similar to those seen in the lab12-01.exe that may hint at DLL injection (such as LoadLibraryA, CreateThread). There are also functions for writing to file, getting file types, and strings relating to environment manipulation.

Finally, there are strings containing "Press OK to Reboot" and "Practical Malware Analysis %d". What this is used for is not 100% clear yet. However it is possible that that .dll may trick the user into rebooting.

 

Advanced Static Analysis (IDA)


Disassembling Lab12-01.exe

After loading Lab12-01.exe into IDA Pro, the main function (Seen Above) loads and confirms a few suspicions raised from the strings analysis. From the main function, first it can be seen that ProcName and LibFileName are both pushed with the values "EnumProcessModules" and "psapi.dll" respectively. As mentioned in the strings analysis, psapi.dll is a Microsoft library that assists in providing information on processes. With these values pushed to the stack, LoadLibraryA is then called.

Immediately after, GetProcAddress is called. It appears this is allowing the malware to gather information about the process its launched. It then searches for the current directory using GetCurrentDirectoryA, and then calls lstrcatA before pushing Lab12-01.dll. This sequence of commands appears to be using psapi.dll to find information on processes before calling Lab12-01.dll.

Following the graphical view in IDA Downwards, another set of instructions provides more clues. VirtualAllocEx is called and then WriteProcessMemory is called and then "kernel32.dll" is pushed. After, GetModleHandleA is called and "LoadLibraryA" is pushed. After, GetProcessAddress and CreateRemoteThread are called.

Searching for the string "explorer.exe" yields a function where OpenProcess is called in sub401000 and then further down, "explorer.exe" is pushed before then handle is later closed. Based on these actions with the previous searches for information about processes, it is likely that explorer.exe is being injected with the Lab12-01.dll.

Disassembling Lab 12-01.dll

Seen above are two of the results of searching for the strings found in the Lab12.01.dll file. In the first image, when searching for the string "Press OK to Reboot" a subroutine was found that created a text box. This was later seen to be a loop as seen in the second image. When the user closes the box, the malicious dll simply creates another text box.

Conclusion

Overall, Lab12-01.exe injects Lab12-01.dll into explorer.exe. After, the Lab12-01.dll spawns endless text boxes prompting the user to shutdown.

Dynamic Analysis


Upon loading the malware in Windows XP, all the malware seemed to do was create a popup box that said "Press OK to reboot". If the box was closed, another one would open and the counter in the top right hand corner would increment. Pressing OK did not do anything. Attempting to run the program a few different times resulted in it sometimes crashing or simply disappearing.

As seen below, the message box was a simple pop-up. However, when opening task manager, it can be seen that the Practical Malware Analysis has a application running. There is no icon and it uses little memory. When looking into the processes list, it can be seen that there is no actual process for this application. This is because as suspected in the static analysis, the processes injected itself into explorer.exe.

Conclusion


Overall the malware uses process injection in order to hide a .dll file in a running process and execute code. While this particular malware sample was just annoying, it demonstrates how malware may be able to hide or not appear to be running as a process.

Comparing the Application list in task manager showed that there was something running, and trying to close it was futile. If the user tried to close it using processes, they would not be able to find it running.