😎 Appunti di Dag7

Cerca

SearchSearch

Lab7-3

19 ott 2025, 3 minuti

Lab 7-3

For this lab, we obtained the malicious executable, Lab07-03.exe, and DLL, Lab07-03.dll, prior to executing. This is important to note because the malware might change once it runs. Both files were found in the same directory on the victim machine. If you run the program, you should ensure that both files are in the same directory on the analysis machine. A visible IP string beginning with 127 (a loopback address) connects to the local machine. (In the real version of this malware, this address connects to a remote machine, but we’ve set it to connect to localhost to protect you.)

WARNING This lab may cause considerable damage to your computer and may be difficult to remove once installed. Do not run this file without a virtual machine with a snapshot taken prior to execution.

This lab may be a bit more challenging than previous ones. You’ll need to use a combination of static and dynamic methods, and focus on the big picture in order to avoid getting bogged down by the details.

Questions

  1. How does this program achieve persistence to ensure that it continues running when the computer is restarted?

  2. What are two good host-based signatures for this malware?

  3. What is the purpose of this program?

  4. How could you remove this malware once it is installed?

But first a static analysis with PEStudio!

  1. File is not packed, PEiD won’t show anything
    • sections are ok
  2. Libraries:
    • it has msvcrt: import the C libraries of various kind
    • it has kernel32: create, modify
  3. Imports:
    • CopyFile
    • CloseFile
    • Create/Map/UnmapViewOfFile: deal with memory allocation
    • malloc
  4. Strings:
    • kerne132.dll
    • kernel32.dll
    • Kernel32.
    • C:\*
    • C:\windows\system32\kerne132.dll
    • Lab07-03.dll
    • C:\Windows\System32\Kernel32.dll
    • WARNING_THIS_WILL_DESTROY_YOUR_MACHINE

In the DLL: 2. Libraries - WS2_32.dll Network socket - KERNEL32.dll Mutex - MSVCRT.dll mem management 3. Imports - CreateMutex / OpenMutex - 4. Strings: - SADFHUHF - exec - sleep - CreateProcess - 127.26.152.13

Perhaps the malware could:

  1. Instantiate persistence by creating a bad service (?)
  2. Check for all files in hard disk, and rename only kernel132 with kerne132
  3. Check if it’s in execution just once with a mutex called SADFHUHF. If not, exits.
  4. Instantiate a socket to 127.26.152.13
  5. Listen to commands by reverse shell

By using IDA:

  • in the main function if program it is called without WARNING_THIS… exits.
  • then call sub_401040: checks if only one instance of the malware is running by creating a mutex named HGL345, if not it exits
  • then it creates a service named malwareservice
  • then it waits for the same date in 2100
  • then it sleeps for one year, so that when 2100 is arrived it will work
    • if it is 2100, create infinites 20 thread that in subroutine StartAddress request for the page malwareanalysisbook.com

Vista grafico

Link entranti

  • Nessun link entrante