😎 Appunti di Dag7

Cerca

SearchSearch

Lab6-2

19 ott 2025, 2 minuti

Lab 6-2

Analyze the malware found in the file Lab06-02.exe. Questions

  1. What operation does the first subroutine called by main perform?
    • check if internet is up
  2. What is the subroutine located at 0x40117F?
    • printf
  3. What does the second subroutine called by main do?
    • downloads the cc file
    • yes but it parses a comment, <!-- is a comment
  4. What type of code construct is used in this subroutine?
    • switch case?
  5. Are there any network-based indicators for this program?
    • well i’ve used fakenet and i’ve discovered that it connects to the url
    • furthermore there is an import related to internet
  6. What is the purpose of this malware?
    • check if internet is up, if yes download a file, and after parsing the comment print one character

But first a static analysis with PEStudio!

  1. File is not packed, PEiD won’t show anything
    • sections are ok
  2. Libraries: it has wininet, so probably performs some kind of network activity
  3. Imports:
    • GetCurrentProcess: probably to check himself
    • GetEnvironment Things: check the args
    • WriteFile: duh
    • InternetOpen/InternetClose/InternetRead/InternetGetConnected: all operations related to Internet, perhaps it downloads something from the internet
    • Sleep
  4. Strings: same as the imports + http://www.practicalmalwareanalysis.com/cc.htm
    • Success: Parsed command is %c: probably used a reverse shell
    • Other error messages, related to internet, files and so on
    • Internet Explorer 7.5/pma probably a user agent

Perhaps the malware could:

  1. Check if there is internet connection or not
  2. Check if multiple istances are in execution, if yes quit (to ensure only one operation at once)
  3. Download file from http://www.practicalmalwareanalysis.com/cc.htm
  4. Remote shell that can Execute command

Let’s see if this is true:

  • With Fakenet Open, by executing the malware I find out that it prints “connection up”
  • With Fakenet Open, I discover that the exe hijacks schvost.exe and request cc.htm file with the user agent Internet Explorer 7.5/pma

By using IDA:

  • it first check connection
  • it downloads cc file
  • it reads cc file, ignore the comment syntax and print the fifth character
  • if a command is passed, then it says “parsed command is whatever”
  • it sleeps for 60 seconds

What I got wrong: I’ve seen “Command”, therefore I thought it was a reverse shell. It is not. Furthermore, I didn’t recognized on a first sight the html parser.

Vista grafico

Link entranti

  • Nessun link entrante