Static Analysis 1

Malware-Analysis
,

Basic Staic Analysis Techniques

  • Fingerprint
  • strings
  • Portable Execute head format
  • Dynamically Linked Functions with Dependency Walker
  • PE File Headers and Sections
  • Viewing the Resource Section with Resource Hacker

All resource address: https://github.com/RPISEC/Malware

Lab 1-1

  1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

MD5	4280aac55c1d3c327a6c00f0f0085677
SHA-1	e006036ff66277bda3e811b260a6441aec64dc73
SHA-256	84b7967aad00e982842045e7b9744af0a457d46bba70456e5f99e7eb9cd783c7
Vhash	083046551d151az1e15fz23z15z87z
Authentihash	c0928c684fad6bb79f9af6383dadaf946ecf69bb13ea15845b21d38130ca8573
Imphash	959711e93a68941639fd8b7fba3ca28f
Rich PE header hash	149f7b871ebdd37754cb4ab48ec05b74
SSDEEP	96:UHAda4xt6WvkZq2yPJbKrApZyRKONWwdxbpMSnaXpMSD+H57PtboynFj8M:utbjQwMPK1buxueQ57P1oynKM
TLSH	T116F1B407CD4304F3E29C0DF116C7CABA4BBA4567329269FFDF62CCE0A8A1215B496658
File type	Win32 EXE
Magic	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
TrID	Win32 Executable MS Visual C++ (generic) (44.6%)   Microsoft Visual C++ compiled executable (generic) (23.6%)   Win32 Dynamic Link Library (generic) (9.4%)   Win16 NE executable (generic) (7.2%)   Win32 Executable (generic) (6.4%)
File size	8.00 KB (8192 bytes)
PEiD packer	Microsoft Visual C++
  1. When were these files compiled?

Creation Time 2009-05-14 17:12:41 UTC

  1. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

No

  1. Do any imports hint at what this malware does? If so, which imports are they?

a. ShellExecuteExA - Can be used to run shellcode or other malware applications
b. Socket API - Make network connection to connection the attacker
c. File API - read/modify/crypt files

  1. Are there any other files or host-based indicators that you could look for on infected systems?

a. URL: http://www.ueopen.com/test.html
b. *(SY)# - Network signature, possible used for a remote shell prompt
c. CMD.exe - Create a CMD.exe process in victims’ machine.

  1. What network-based indicators could be used to find this malware on infected machines?

Connect the http://www.ueopen.com/test.html and create the reverse shell or download malware.

  1. What would you guess is the purpose of these files?

a. Creating a backdoor by in victims machine to offer the reverse shell to attacker

Lab 1-2

  1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

  1. What host- or network-based indicators could be used to identify this malware on infected machines?

It will create a service on the victims’ machine and open the url http://www.malwareanalysisbook.com.

Create the service and name it as Malservice

But it can’t run the services normally, return the error 1067

Lab 1-3

  1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

Packed with FSG, we can unpack it with the techniques we learnt so far.

  1. What host- or network-based indicators could be used to identify this malware on infected machines?


We can only get the import functions with the ida-pro now, we can’t get any information about host ora network-based indicators.

Lab1-4

  1. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

No-packed software.

  1. When was this program compiled?

  1. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

We pull the binary to Resource Hacker, there is a embedded executeable file in it.

The software running procedure:
Firstly, check the privilege.
Secondly the malware release the resource from itself to new file, and execute the new file automatically.

  1. What host- or network-based indicators could be used to identify this malware on infected machines?


wupdmgr.exe winup.exe

  1. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

We copy the resource and save as lab1-04-binary.exe, we find the url in it.
It likely download and execute the file.