Analyze the malware found in the file Lab06-01.exe using basic static analysis tools.
1. What are this malware’s imports and strings?
Hint – use PEView to examine SECTION.rdata -> IMPORT Address Table
To find the .exe file’s imports we do the following:
Copyright By PowCoder代写 加微信 powcoder
Open the file Lab06-01.exe in PEView.
Navigate to SECTION.rdata -> IMPORT Address Table
To find the strings we run the Lab06-01.exe file through the strings.exe program. We can save the list of strings to a file for later analysis.
Looking at the list of imports in PEView, together with the strings gives us clues about what this malware executable is doing.
We can see the list of functions imported from KERNEL32.dll and WINNET.dll. The function InternetGetConnectedState, imported from WINNET.dll is interesting. MSDN tells us the Windows Internet (WinINet) API enables applications to interact with HTTP protocols to access Internet resources. Using MSDN, we learn the InternetGetConnectedState function checks the status of the Internet connection for the local system returning 1 if there is a connection and 0 if not.
The strings “Error 1.1: No Internet” and “Success: Internet Connection” also hint that this program may check for an active Internet connection on the system.
We will now analyse the malware in Lab06-02.exe using basic dynamic analysis. This will involve using both host-based and network-based tools. Because this malware attempts to access resources on the network, we will set up a virtual network to allow the malware to run. Firstly we will set everything up, then we will analyse all the host-based events, and finally we will analyse all the network-based events.
Analysing the malware found in file Lab06-02.exe using basic host-based dynamic tools
1. Run strings.exe to see if there are any network-based signatures.
Answer – From the output of strings.exe we can see two main network based indicators. The first is the HTTP user-agent Internet Explorer 7.5/pma
The second is the URL http://www.practicalmalwareanalysis.com/cc.htm
There are also several additional strings that may indicate network activity such as: Error 2.3: Fail to get command
Error 2.2: Fail to ReadFile
Error 2.1: Fail to OpenUrl
Success: Parsed command is %c
1. Run ProcessMonitor
Clear out all existing events and create a filter for Process Name is Lab06-02.exe
2. Start Process Explorer
3. Run apateDNS.exe.
In the DNS Reply IP textbox enter 192.168.117.169 and click on Start Server button
4. Start the MW-Ubuntu virtual machine.
This will take a moment to boot into the command line. The username is ‘labuser’ and the password is ‘malware’
5. In the Ubuntu virtual machine command line type sudo inetsim and enter the password malware
6. On the Windows machine, set up network traffic logging using Wireshark. When Wireshark starts, double click on ‘Local Area Connection’
7. Run the malware file Lab06-02.exe
We will now set up the dynamic analysis tools needed for the rest of this practical
2. Examine the Lab06-02.exe process in Process Explorer. What do you notice? Hint – Does it create any mutants? Has it loaded any DLLs?
In process explorer you can choose to view either Handles / DLLs
View -> Lower Pane View -> DLLs View -> Lower Pane View -> Handles
Selecting Handles, we can see that the exe creates two mutants (aka mutexes)
\Sessions\1\BaseNamedOjbects\ZonesCacheCounterMutex \Sessions\1\BaseNamedOjbects\ZonesLockedCacheCounterMutex
Note – Using process explorer, we can see the list of DLLs actually loaded into memory by this process. When doing basic static analysis, where we don’t actually run the program, we can only see the list of DLLs that may potentially be loaded. Examining the list of DLLs we see a long list of common DLLs, and we note that Lab06-02 loads functions from wininet.dll which is associated with internet access.
You can use MSDN to find more information on each DLL and each function. The easiest way to do this is by googling for “MSDN name-of-function”
3. Use Process Monitor to look for additional information
Hint – Set up three filters. One on Process Name Lab06-02.exe and two more on
Operation is RegSetValue and Operation is Writefile
4. Check to see whether the malware has made any changes to the registry. Hint – use Regshot
Answer to parts 3 & 4
When we filter using “Operation is RegSetValue” we can see a large number of registry entries have been accessed, with many related to internet access.
When we filter using “Operation is Writefile” we can see that the malware writes to a temporary file in the ‘/Temporary Internet Files/’ directory.
Using Regshot, we take the first shot before running the Lab06-02.exe file and the second shot after running the Lab06-02.exe. We can see that small number of changes were made, mainly related to internet access.
Analyze the malware found in file Lab06-02.exe using network-based dynamic tools. Note that the Lab06-02.exe will close after some time, but you can restart it again as many times as needed.
1. Run the malware Lab06-02.exe and check if there were any DNS requests Hint – Use ApateDNS
2. Review the network traffic generated by the malware Hint – Use Wireshark
www.practicalmalwareanalysis.com
This tells us that a resource at this URL is being requested by the malware, however we can’t know its true significance unless we analyse the assembly code of the exe
Answer – In the ApateDNS log we can see a DNS request for the URL
Answer – Wireshark gives us another way to look at the packets sent to/from the machine
In Wireshark we can initially see a TCP 3-way handshake (SYN, SYN-ACK, ACK), then we can see HTTP packet. What’s happening here is that the Lab06-02.exe is establishing a TCP connection with a server. The HTTP packet contains the request for the www.practicalmalwareanalysis.com page. We can then see another HTTP packet when the server sends back a HTML page. This is the boiler-plate page returned by inetsim.
If we look closely at the second HTTP packet we can see a HTML comment This corresponds to the message ‘Success: Parsed command is a’ printed by the malware. We can see that the malware takes an action based on this HTML comment.
3. Check to see whether the malware attempts to make any HTTP or TCP connections.
Hint – Use Netcat on the Ubuntu Virtual Machine
If inetsim is running you can stop it by pressing ctrl-c
Listen on port 80 using netcat by typing sudo nc –l –p 80
Enter the password malware
In Windows run Lab06-02.exe and monitor its requests using netcat on Ubuntu
Answer – After running Lab06-02.exe, we can see the following HTTP request in netcat
GET /cc.htm HTTP/1.1
User-Agent: Internet Explorer 7.5/pma Host: www.practicalmalwareanalysis.com
Notes on Tools
PEView – View the headers and contents of a PE file (.exe or .dll)
ProcessMonitor (procmon) – Records events generated by all programs such as accessing the
registry or filesystem
Process Explorer – A free tool provided by Microsoft used for Dynamic Analysis. Process Explorer monitors every running processes and shows the handles and DLLs loaded by each process. This differs from PEView because we can see the resources that are actually loaded at this time.
Inetsim – used on the Ubuntu machine to pretend to be a webserver. For example, if a piece of malware requests a JPEG from a website to continue its operation, INetSim will respond with a properly formatted JPEG. It records all requests to a log file.
– We can check the address of our Ubuntu machine using ifconfig
– We can’t run netcat and inetsim at the same time
– We can run them one after the other
– Get the same information from the log of inetsim
apateDNS – A pretend DNS server, used for spoofing DNS requests on a local machine. It responds to DNS requests with an IP address you specify. This lets us spoof the IP address for any URLs requested by the malware and force the malware to connect to our own server, so we can capture its requests and analyse them.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com