Use the tools introduced in the lecture to answer the following questions about the files
Lab01-01.exe Lab01-01.dll
1. When were each of the files compiled?
Hint – use PEView to examine IMAGE_NT_HEADERS -> IMAGE_FILE_HEADER
Copyright By PowCoder代写 加微信 powcoder
Open each file in PEview
For each file, navigate to the IMAGE_NT_HEADERS > IMAGE_FILE_HEADER > Time Date Stamp This tells us the compile time.
Both files were compiled on December 19, 2010, within 1 minute of each other.
This confirms our suspicions that these files are part of the same package. In fact, a compile time that close strongly suggests that these files were created at the same time by the same author. We know that the files are related because of the compile times and where they were found. It’s likely that the .exe will use or install the .dll, because DLLs cannot run on their own.
2. Are there indications that these files have been packed or obfuscated?
Hint – use PEiD to check if a packer was used.
Open the .exe file in PEiD.
PEiD labels this as unpacked code compiled with Microsoft Visual C++, which tells us that these files are not packed.
Using PEview we can see that both files have small but reasonable numbers of imports from various dlls and well-formed sections with appropriate sizes. We can check the imports in PEView by navigating to Section .rdata -> IMPORT Address Table
The fact that the files have few imports tells us that they are likely small programs.
Notice that the DLL file has no exports, which is abnormal, but not indicative of the file being packed.
We conclude are no indications that either file is packed or obfuscated
3. Examine the imports of each file. Do the imported functions indicate anything about what these files do? Which imports do you think are indicative of the functionality of the files and why.
Hint – use Dependency Walker to examine which functions are imported by the .exe or .dll. You can also use the MSDN website to look up more information about the function names and what they do https://msdn.microsoft.com. Alternatively, you might find it easier to just google “MSDN X” where X is the function name.
The interesting imports from Lab01-01.exe are FindFirstFile, FindNextFile, and CopyFile. These imports tell us that the program searches the filesystem and copies files. The most interesting imports from Lab01-01.dll are CreateProcess and Sleep. We also see that this file imports functions from WS2_32.dll, which provides network functionality.
We look in more detail at the files’ imports and strings beginning with the .exe. All of the imports from msvcrt.dll are functions that are included in nearly every executable as part of the wrapper code added by the compiler.
When we look at the imports from kernel32.dll, we see functions for opening and manipulating files, as well as the functions FindFirstFile and FindNextFile. These functions tell us that the malware searches through filesystem, and that it can open and modify files. We can’t be sure what the program is searching for, analysing the program using string.exe, we find the string ‘.exe’ and suggests that it is searching for executables on the victim’s system.
Next, we look at the imports and strings for Lab01-01.dll, which imports functions from WS2_32.dll. Because these functions are imported from WS2_32.dll by ordinal, we don’t know which functions are being imported.
We also see two interesting functions imported from kernel32.dll: CreateProcess and Sleep, which are commonly used as backdoors. These functions are particularly interesting to us in combination with the strings exec and sleep. The exec string is probably sent over the network to command the backdoor to run a program with CreateProcess. The sleep string is probably used to command the backdoor program to sleep.
4. In Lab01-01.exe are there any indicators of files on the host computer that could also be infected i.e. are there any host based indicators?
Hint – use PEVIEW to examine the strings in SECTION .data, or use strings.exe. Is there anything suspicious about the .dll strings mentioned here?
Using strings.exe we can see the string kerne132.dll, with the number 1 instead of the letter l, which is meant to look like the system file kernel32.dll. This file could be used as a host based indicator to confirm the presence of this malware on our system.
5. Are there any network-based indicators that could be used to identify these files on infected machines?
Hint – use PEVIEW/strings to check for strings related to network activity e.g. web or IP addresses.
Examine the file Lab01-03.exe.
a. Are there any indications that this file was packed?
Hint – check the difference between the Virtual Size and Size of Raw Data using PEView. What does this tell us?
When we use string.exe to get the strings in the dll, we can see the .dll file contains a reference to IP address 127.26.152.13 which would be a good network-based indicator for use in identifying this malware.
When we open the file in PEview, we see several indications that the file is packed.
The first indication that this file might be packed is that that the file sections have no names. For example we can’t see sections with the names .text, .rdata or .data.
Next, we see that the first section (the first IMAGE_SECTION_HEADER in the list) has a virtual size of 0x3000, but a raw data size of 0. A large difference between the raw size and virtual size, such as this, is an indication of packing.
Finally, we run PEiD to confirm. PEiD identifies the packer as FSG 1.0 -> dulek/xt.
b. What are the file imports?
To confirm that the file is packed, we search for the imports, but there doesn’t seem to be an import table. In a normal .exe file we would expect the import address table to be found in PEView under SECTION .rdata -> IMPORT Address Table.
An executable file without an import table is extremely rare, and its absence tells us that we should try another tool, because PEview is having trouble processing this file.
We open the file with Dependency Walker, and see that it does have an import table, but it imports only two functions: LoadLibraryA and GetProcAddress. These can be seen as the only functions imported from KERNEL32.dll. Packed files often import only these two functions, which further indicate that this file is packed.
Examine the file Lab01-04.exe in order to answer the following questions: a. Are there any indicators that this file is packed?
There are no indications this file is packed. We can use PEview to examine the Import Address Table, where we see the file imports many functions from different DLLs. We can also examine the file using PEiD where we see the file has been compiled using Microsoft Visual C++ 6.0. We can’t find any evidence that the file has been packed.
b. When was this file compiled, and what does this indicate?
We can find the compile time by examining the file header using PEView
In PEView navigate to IMAGE_NT_HEADERS -> IMAGE_FILE_HEADER – Time Date Stamp
According to the time data stamp in the file header, this program was compiled in August 2019. We can’t draw any conclusions from this, but we should remember that compile times can be faked…
c. What are the file imports? What do they tell about its functionality?
We can examine the file imports using PEView or DependencyWalker.
In PEView navigate to SECTION .rdata -> IMPORT Address Table
The imports from advapi32.dll, such as OpenProcessToken, LookupPrivilegeValueA, and AdjustTokenPrivileges indicate that the program is doing something with permissions. We can assume that it tries to access protected files using special permissions. You should look up these functions in MSDN to understand what they are doing.
The imports from Kernel32.dll, such as WinExec, CreateFile and WriteFile, tell us that the program writes a file to disk and then executes it. There are also imports for reading information from the resource section of the file, such as LoadResource, FindResource, and SizeOfResource.
d. Are there any host-based indicators that could be used to identify this malware?
We can use strings.exe to examine the strings of this program. The string \system32\wupdmgr.exe indicates that this program could create
or modify a file at that location.
d. Are there any indicators of network activity?
We can use strings.exe to examine the strings of this program. The string www.malwareanalysisbook.com/updater.exe probably indicates where additional malware is stored, ready for download.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com