😎 Appunti di Dag7

Cerca

SearchSearch

Lab7-1

19 ott 2025, 2 minuti

Lab 7-1

Analyze the malware found in the file Lab07-01.exe. Questions

  1. How does this program ensure that it continues running (achieves persistence) when the computer is restarted?
    • autostart service
  2. Why does this program use a mutex?
    • to check only one time execution in memory
  3. What is a good host-based signature to use for detecting this program?
    • the service
  4. What is a good network-based signature for detecting this malware?
    • the URL
  5. What is the purpose of this program?
    • DDoS the URL when 2100 is arrived
  6. When will this program finish executing?
    • never

But first a static analysis with PEStudio!

  1. File is not packed, PEiD won’t show anything
    • sections are ok
  2. Libraries:
    • it has wininet, so probably performs some kind of network activity
    • it has advapi32, so probably installs some reg keys
  3. Imports:
    • GetCurrentProcess: probably to check himself
    • GetEnvironment Things: check the args
    • WriteFile: duh
    • InternetOpen/InternetOpenURLA: all operations related to Internet, perhaps it downloads something from the internet
    • Sleep
    • StartServiceCtrlDispatcherA: this is used to achieve persistance by managing services
    • CreateMutexA: this is used to ensure only one execution is running
    • LoadLibraryA: possibly this is used to load external library. It is very often to find it in packed malwares, however this is not packed.
  4. Strings: same as the imports + http://www.malwareanalysisbook.com/
    • Other error messages, related to internet, files and so on
    • MalService and Malservice persistance mechanism is achieved by creating a service, therefore these could be interesting names for the service
    • VC20XC00U: maybe it could be useful later
    • HGL345: a name for something, maybe the mutex ?
    • Internet Explorer 8.0: a user agent

Perhaps the malware could:

  1. Instantiate persistence by creating a bad service
  2. Check if it’s in execution just once. If not, exits.
  3. Copy itself (?)
  4. Download and run something from http://www.malwareanalysisbook.com/
  5. Close itself

By using IDA:

  • in the main function it creates a new service called malwareservice, and achieves persistence
  • then call sub_401040: checks if only one instance of the malware is running by creating a mutex named HGL345, if not it exits
  • then it creates a service named malwareservice
  • then it waits for the same date in 2100
  • then it sleeps for one year, so that when 2100 is arrived it will work
    • if it is 2100, create infinites 20 thread that in subroutine StartAddress request for the page malwareanalysisbook.com

Vista grafico

Link entranti

  • Nessun link entrante