Lab 6-4

In this lab, we’ll analyze the malware found in the file Lab06-04.exe. Questions

1. What is the difference between the calls made from the main method in Labs 6-3 and 6-4? No big differences, except for addresses

2. What new code construct has been added to main? For loop

3. What is the difference between this lab’s parse HTML function and those of the previous labs? Now user agent accepts a new parameter that is included in the request, an integer

4. How long will this program run? (Assume that it is connected to the Internet.) 24 hours

5. Are there any new network-based indicators for this malware?

• check if internet is up
• string http://www.practicalmalwareanalysis.com/cc.htm
• WININET

6. What is the purpose of this malware? Executing the will of the original malware’s author.

But first a static analysis with PEStudio!

1. File is not packed, PEiD won’t show anything
   • sections are ok
2. Libraries:
   • it has wininet, so probably performs some kind of network activity
   • it has advapi32, so probably installs some reg keys
3. Imports:
   • GetCurrentProcess: probably to check himself
   • GetEnvironment Things: check the args
   • WriteFile: duh
   • InternetOpen/InternetClose/InternetRead/InternetGetConnected: all operations related to Internet, perhaps it downloads something from the internet
   • Sleep
4. Strings: same as the imports + http://www.practicalmalwareanalysis.com/cc.htm
   • Success: Parsed command is %c: probably used a reverse shell
   • Other error messages, related to internet, files and so on
   • Internet Explorer 7.5/pma probably a user agent
   • C:\Temp\cc.exe: it probably copies itself here
   • Software\Microsoft\Windows\CurrentVersion\Run persistance mechanism
   • VC20XC00U: maybe it could be useful later

Perhaps the malware could:

1. Check if there is internet connection or not
2. Download file from http://www.practicalmalwareanalysis.com/cc.htm
3. Perform an action depending on the letter (5 possible actions)
4. Close itself

By using IDA:

• it first check connection. If there’s no Internet, it exits. If yes
  • repeats this for 1440 times, so 1 command every minute (in 24 hours)
    • compose user agent string with a number passed as argument
    • it downloads cc file
    • it reads cc file, ignore the comment syntax and print the fifth character
    • if a letter is passed, then it says “parsed command is whatever”
    • we now have a switch case:
      • a: create a directory with pathname (C://Temp)
      • b: copy file from specific location to C://Temp/cc.exe
      • c: delete file from C://Temp/cc.exe
      • d: create a new RegKey in Registry Called “Malware”, in this location “Software\Microsoft\Windows\CurrentVersion\Run”, and as executable “C:\Temp\cc.exe”
        • it also check if everything’s successful, if not it prints an error message
      • default: sleep 100 seconds
      • if not a valid character, it prints “not a valid command provided”
    • it sleeps for 60 seconds