Lab 6-3

In this lab, we’ll analyze the malware found in the file Lab06-03.exe. Questions

1. Compare the calls in main to Lab 6-2’s main method. What is the new function called from main?
   • 401130
2. What parameters does this new function take?
   • character, filepath (buffer)
3. What major code construct does this function contain
   • switch?
4. What can this function do?
   • execute a specific operation based on the character after the HTML comment
5. Are there any host-based indicators for this malware?
   • same as before, + register things
6. What is the purpose of this malware?
   • executing the willness in the webpage of the attacker after the comment

But first a static analysis with PEStudio!

1. File is not packed, PEiD won’t show anything
   • sections are ok
2. Libraries:
   • it has wininet, so probably performs some kind of network activity
   • it has advapi32, so probably installs some reg keys
3. Imports:
   • GetCurrentProcess: probably to check himself
   • GetEnvironment Things: check the args
   • WriteFile: duh
   • InternetOpen/InternetClose/InternetRead/InternetGetConnected: all operations related to Internet, perhaps it downloads something from the internet
   • Sleep
4. Strings: same as the imports + http://www.practicalmalwareanalysis.com/cc.htm
   • Success: Parsed command is %c: probably used a reverse shell
   • Other error messages, related to internet, files and so on
   • Internet Explorer 7.5/pma probably a user agent
   • C:\Temp\cc.exe: it probably copies itself here
   • Software\Microsoft\Windows\CurrentVersion\Run persistance mechanism

Perhaps the malware could:

1. Check if there is internet connection or not
2. Download file from http://www.practicalmalwareanalysis.com/cc.htm
3. Perform an action depending on the letter
4. Sleep for 60 seconds
5. Close itself

By using IDA:

• it first check connection
• it downloads cc file
• it reads cc file, ignore the comment syntax and print the fifth character
• if a letter is passed, then it says “parsed command is whatever”
• we now have a switch case:
  • a: create a directory with pathname (C://Temp)
  • b: copy file from specific location to C://Temp/cc.exe
  • c: delete file from C://Temp/cc.exe
  • d: create a new RegKey in Registry Called “Malware”, in this location “Software\Microsoft\Windows\CurrentVersion\Run”, and as executable “C:\Temp\cc.exe”
    • it also check if everything’s successful, if not it prints an error message
  • default: sleep 100 seconds
  • if not a valid character, it prints “not a valid command provided”
• it sleeps for 100 seconds