Practical Malware Analysis - LAB01
Basic Static Analysis:
Let's jump into the labs of the PMA (Practical Malware Analysis). You can revise you basic concepts about the malware analysis from blog. Outdated tools were used in the book So, I'll be using some latest tools which provides us the same results. Labs can be downloaded from PMA Labs.
Tools:
Following tools are used throughout the Lab-01.
- PEStudio
- DIE (Detect it easy)
- Virus Total
- upx
Lab-01:
Binary Name: Lab01-01.dll
Question1: Upload the files to http://www.VirusTotal.com/ and view the reports. Does
either file match any existing antivirus signatures?
Ans: Open the file the file in PEStudio.exe to find out the hash of file.
Figure 1 |
As you can see in Figure 1 hashes are highlighted. Use any one of hash or click on the URL to find match for any existing antivirus signatures. You can also take help from PEStudio.exe to collect the virus total information as shown in the following figure. There are 40 antivirus detected this file as malicious.
Figure 2 |
Question2: When were these files compiled?
Ans: This information can be extracted from Virustotal as well as using the PEStudio.exe. Compiled time of binary is 'Sun Dec 19 21:16:38 2010'.
Figure 3 |
Question3:Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
Ans: You can easily identify the packed binary using the entropy. If entropy is greater than 5 it means that file is obfuscated or packed. Following figure shows the entropy is less than 5 so binary is not packed/obfuscated.
Figure 4 |
Question4:Do any imports hint at what this malware does? If so, which imports are they?
Ans: Strings of binary as well as import/exports help us to answer this question. You can see in the following figure.
- CreateMutex: Create the mutex on the host.
- OpenMutex: Open the mutex on the host.
- CreateProcess: Launch the process on the host.
- WS2_32.dll: Dll is used to establish the network connection.
Figure 5 |
Question5:Are there any other files or host-based indicators that you could look for on infected systems?
Ans: Filename or hashes can be used to look for infected systems. Yara rule is the best tool to sweep on the host. In later blogs we'll learn about the Yara rules.
Question6:What network-based indicators could be used to find this malware on infected machines?
Ans: We can easily identify the IP address in strings for the network based IOC.
Figure 6 |
Question7:What would you guess is the purpose of these files?
Ans: The DLL file appears to launch a process, create a mutex to mark an infected host, and establish connection to an IP address (might be the address of C2).
Lab02:
Binary Name: Lab01-02.exe
I would not attach the screenshots to keep the blog short. You can follow the steps of Lab01 to get an idea from where you can extract the relevant information.
Question1:Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
Ans: There are 55 antivirus who marked this binary as malicious.
Question2: Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
Ans: Yes, the binary is packed as the entropy is greater than 5.
Figure 7 |
You can also use the die.exe to understand the packing algorithm.
Command: upx.exe -d [FileName] -o [NewFileName]
Question3: Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
Ans: Binary include the following imports
- CreateService: Create the new service on the host.
- InternetOpen: Initializes an application's use of the Win32 Internet functions.
- VirtualAlloc: Reserve the virtual address for the binary.
- GetProcAddress: To retrieve the memory address of the binary.
Question4:What host- or network-based indicators could be used to identify this malware on infected machines?
Ans: From strings it can be easily guessable. network base IOC is 'http[:]//www.walwareanalysisbook[.]com' but it is in junks.
Lab03 & Lab04:
Leaving these labs for you guys to practice. Feel free to back to us for any query.
You can also watch the demonstration videos on our YouTube channel. LearnwithUzair
Comments
Post a Comment