Practical Malware Analysis - LAB01

Basic Static Analysis:

Let's jump into the labs of the PMA (Practical Malware Analysis). You can revise you basic concepts about the malware analysis from blog. Outdated tools were used in the book So, I'll be using some latest tools which provides us the same results. Labs can be downloaded from PMA Labs.

Tools:

Following tools are used throughout the Lab-01.

  • PEStudio
  • DIE (Detect it easy)
  • Virus Total
  • upx

Lab-01:

Binary Name: Lab01-01.dll
Question1: Upload the files to http://www.VirusTotal.com/ and view the reports. Does 
either file match any existing antivirus signatures?
Ans: Open the file the file in PEStudio.exe to find out the hash of file.

Figure 1

As you can see in Figure 1 hashes are highlighted. Use any one of hash or click on the URL to find match for any existing antivirus signatures. You can also take help from PEStudio.exe to collect the virus total information as shown in the following figure. There are 40 antivirus detected this file as malicious.

Figure 2


Question2: When were these files compiled?
Ans: This information can be extracted from Virustotal as well as using the PEStudio.exe. Compiled time of binary is 'Sun Dec 19 21:16:38 2010'.

Figure 3


Question3:Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
Ans: You can easily identify the packed binary using the entropy. If entropy is greater than 5 it means that file is obfuscated or packed. Following figure shows the entropy is less than 5 so binary is not packed/obfuscated.

Figure 4

Question4:Do any imports hint at what this malware does? If so, which imports are they?
Ans: Strings of binary as well as import/exports help us to answer this question. You can see in the following figure.
  • CreateMutex: Create the mutex on the host.
  • OpenMutex: Open the mutex on the host.
  • CreateProcess: Launch the process on the host.
  • WS2_32.dll: Dll is used to establish the network connection.

Figure 5
Question5:Are there any other files or host-based indicators that you could look for on infected systems?
Ans: Filename or hashes can be used to look for infected systems. Yara rule is the best tool to sweep on the host. In later blogs we'll learn about the Yara rules.

Question6:What network-based indicators could be used to find this malware on infected machines?
Ans: We can easily identify the IP address in strings for the network based IOC.

Figure 6

Question7:What would you guess is the purpose of these files?
Ans: The DLL file appears to launch a process, create a mutex to mark an infected host, and establish connection to an IP address (might be the address of C2).

Lab02: 

Binary Name:  Lab01-02.exe
I would not attach the screenshots to keep the blog short. You can follow the steps of Lab01 to get an idea from where you can extract the relevant information.

Question1:Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
Ans: There are 55 antivirus who marked this binary as malicious.

Question2: Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Ans: Yes, the binary is packed as the entropy is greater than 5. 

Figure 7

You can also use the die.exe to understand the packing algorithm. 

Figure 8

In order to unpack the binary we'll use upx.exe. Open the cmd.exe with admin privileges. Use the following command to unpack the binary.

Command: upx.exe -d [FileName] -o [NewFileName]


Question3: Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Ans: Binary include the following imports
  • CreateService: Create the new service on the host.
  • InternetOpen: Initializes an application's use of the Win32 Internet functions.
  • VirtualAlloc: Reserve the virtual address for the binary.
  • GetProcAddress: To retrieve the memory address of the binary.
Question4:What host- or network-based indicators could be used to identify this malware on infected machines?
Ans: From strings it can be easily guessable. network base IOC is 'http[:]//www.walwareanalysisbook[.]com' but it is in junks.


Lab03 & Lab04:
Leaving these labs for you guys to practice. Feel free to back to us for any query.
You can also watch the demonstration videos on our YouTube channel. LearnwithUzair



Comments

Post a Comment

Popular posts from this blog

Analyzing Spear Phishing Email

Image
Phishing is the technique of fraudulent attempt by the attacker to obtain sensitive and confidential information i.e. Credentials, PII information, credit card, bank details. It can also be targeted attack to focus on the specific organization of individual. The attacker often tailors an email to speak directory to targeted user. There are many types of phishing as follow. I wouldn't explain the types. You can read Here . In this article you'll learn how to analyze the sophisticated phishing email. So, Let's start the case study to explain.  Spearphising :  Spearphising is the technique in which attacker aims at one person and lures him/her into providing confidential data. Attacker compile the email according to the specific user. The email would consist some of the target's email, username, designation.  Case Study: User receive the spearphising email containing the PDF attachment with double extension. Email body contains the unprofessional statement "Kindly m
Read more

Cyber Threat Intel

Image
What is Cyber Threat Intel? Threat intel is the information about the threats. Cyber threat intel is used to better understand, predict and adopt to the behavior of malicious actors. It plays an important role in preventing the zero-day attacks. " Threat information that has been aggregated, transformed, analyzed, interpreted, or enriched to provide the necessary context for decision-making processes " (NIST). Threat Intel life Cycle: Intelligence lifecycle is the process of developing raw information into finished intelligence for policymaker to use in decision making and action. CTI Life Cycle Planning and Direction Planning and direction helps in setting up the goals for the threat intel program. Priorities and requirements are defined in this phase. Collection: Collection means gathering of data to produce the finished intelligence. Data includes logs(Firewall, IPS/IDS, Endpoints), threat feeds and OSINT(reports, social media, public forums). Collection Types of Collectio
Read more

Practical Malware Analysis (Introductory)

Hi folks, just started the series on PMA (Practical Malware Analysis) . Being an analyst i would recommend to gain expertise on "Malware Analysis". This blog help us to quick recap the concepts of malware as well as from analysis perspective. We'll start from basic and proceed towards advance level. Introduction: Malware refers to "Malicious Binary" which is instructive by the threat actors (called as "Hackers" ) to achieve their motives. Motives can be vary like it could be data stealing, damage/destroy organization systems. Viruses Worms Trojan Spyware Adware Ransomware Aforementioned names are the malware types which is collectively called "Malware". Let's jump into the main topic of this blog without going into the details. Malware Analysis: Malware analysis is the process of understanding the working flow/behavior/malicious activity of malware. The results of the malware analysis help the analysts to detect and prevent the threats.
Read more