Analyze the malware found in the file Lab03-02.dll using basic dynamic analysis tools.

Questions and Short Answers

  1. How can you get this malware to install itself?

    A: To install the malware as a service, run the malware’s exported installA function via rundll32.exe with rundll32.exe Lab03-02.dll,installA.

  2. How would you get this malware to run after installation?

    A: To run the malware, start the service it installs using the net command net start IPRIP.

  3. How can you find the process under which this malware is running?

    A: Use Process Explorer to determine which process is running the service. Since the malware will be running within one of the svchost.exe files on the system, hover over each one until you see the service name, or search for Lab03-02.dll using the Find DLL feature of Process Explorer.

  4. Which filters could you set in order to use procmon to glean information?

    A: In procmon you can filter on the PID you found using Process Explorer.

  5. What are the malware’s host-based indicators?

    A: By default, the malware installs as the service IPRIP with a display name of Intranet Network Awareness (INA+) and description of “Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.” It installs itself for persistence in the registry at HKLM\SYSTEM\CurrentControlSet\Services\IPRIP Parameters\ServiceDll: %CurrentDirectory%\Lab03-02.dll. If you rename Lab03-02.dll to something else, such as malware.dll, then it writes malware.dll into the registry key, instead of using the name Lab03-02.dll.

  6. Are there any useful network-based signatures for this malware?

    A: The malware resolves the domain name practicalmalwareanalysis.com and connects to that host over port 80 using what appears to be HTTP. It does a GET request for serve.html and uses the User-Agent %ComputerName% Windows XP 6.11.

Detailed Analysis

We begin with basic static analysis by looking at the PE file structure and strings. Figure 3-5L shows that this DLL has five exports, as listed from \({\color{red}1}\) and below. The export ServiceMain suggests that this malware needs to be installed as a service in order to run properly.

Figure 3-5L: PEview of Lab03-02.dll exports

The following listing shows the malware’s interesting imported functions in bold.

These include service-manipulation functions, such as CreateService, and registry-manipulation functions, such as RegSetValueEx. Imported networking functions, such as HttpSendRequest, suggest that the malware uses HTTP.

Next, we examine the strings, as shown in the following listing.

We see several interesting strings, including registry locations, a domain name, unique strings like IPRIP and serve.html, and a variety of encoded strings. Basic dynamic techniques may show us how these strings and imports are used.

The results of our basic static analysis techniques lead us to believe that this malware needs to be installed as a service using the exported function installA. We’ll use that function to attempt to install this malware, but before we do that, we’ll launch Regshot to take a baseline snapshot of the registry and use Process Explorer to monitor the processes running on the system. After setting up Regshot and Process Explorer, we install the malware using rundll32.exe, as follows:

C:\>rundll32.exe Lab03-02.dll,installA

注:win7中无法复现,使用Windows XP可成功复现。

After installing the malware, we use Process Explorer to confirm that it has terminated by making sure that rundll32.exe is no longer in the process listing. Next, we take a second snapshot with Regshot to see if the malware installed itself in the registry.
The edited Regshot results are shown in the following listing.

The Keys added section shows that the malware installed itself as the service IPRIP at \({\color{red}1}\). Since the malware is a DLL, it depends on an executable to launch it. In fact, we see at \({\color{red}2}\) that the ImagePath is set to svchost.exe, which means that the malware will be launched inside an svchost.exe process. The rest of the information, such as the DisplayName and Description at \({\color{red}3}\) and \({\color{red}4}\), creates a unique fingerprint that can be used to identify the malicious service.

If we examine the strings closely, we see SOFTWARE\Microsoft\Windows NT CurrentVersion\SvcHost and a message "You specify service name not in Svchost// netsvcs, must be one of following". If we follow our hunch and examine the \SvcHost\netsvcs registry key, we can see other potential service names we might use, like 6to4 AppMgmt. Running Lab03-02.dll,installA 6to4 will install this malware under the 6to4 service instead of the IPRIP service, as in the previous listing.

After installing the malware as a service, we could launch it, but first we’ll set up the rest of our basic dynamic tools. We run procmon (after clearing out all events); start Process Explorer; and set up a virtual network, including ApateDNS and Netcat listening on port 80 (since we see HTTP in the strings listing).

Since this malware is installed as the IPRIP service, we can start it using the net command in Windows, as follows:

C:\>net start IPRIP
The Intranet Network Awareness (INA+) service is starting.
The Intranet Network Awareness (INA+) service was started successfully.

The fact that the display name (INA+) matches the information found in the registry tells us that our malicious service has started.

注:上图按 Enter 键前,记得ApateDNS软件点击Start Server。

Next, we open Process Explorer and attempt to find the process in which the malware is running by selecting Find -> Find Handle or DLL to open the dialog shown in Figure 3-6L. We enter Lab03-02.dll and click Search. As shown in the figure, the result tells us that Lab03-02.dll is loaded by svchost.exe with the PID 1044. (The specific PID may differ on your system.)

Figure 3-6L: Searching for a DLL in Process Explorer

In Process Explorer, we select View -> Lower Pane View -> DLLs and choose the svchost.exe running with PID 1044. Figure 3-7L shows the result. The display name Intranet Network Awareness (INA+) shown at \({\color{red}1}\) confirms that the malware is running in svchost.exe, which is further confirmed when we see at \({\color{red}2}\) that Lab03-02.dll is loaded.

Figure 3-7L: Examining service malware in Process Explorer

Next, we turn our attention to our network analysis tools. First, we check ApateDNS to see if the malware performed any DNS requests. The output shows a request for practicalmalwareanalysis.com, which matches the strings listing shown earlier.

NOTE

It takes 60 seconds after starting the service to see any network traffic (the program does a Sleep(60000) before attempting network access). If the networking connection fails for any reason (for example, you forgot to set up ApateDNS), it waits 10 minutes before attempting to connect again.

双击 ApateDNS 的 Capture Window 窗口的 Domain Requested 相应条目,显示 DNS Hex View,如下:

最后 ApateDNS 点击 Stop Server,在服务器端,快捷键 control + c 结束服务器,查看生成的日志文件 report.3385.txt 如下:

We complete our network analysis by examining the Netcat results, as follows:

书中的结果是如下:

We see that the malware performs an HTTP GET request over port 80 (we were listening over port 80 with Netcat since we saw HTTP in the string listing). We run this test several times, and the data appears to be consistent across runs.

We can create a couple of network signatures from this data. Because the malware consistently does a GET request for serve.html, we can use that GET request as a network signature. The malware also uses the User-Agent MalwareAnalysis2 Windows XP 6.11. MalwareAnalysis2 is our malware analysis virtual machine’s name (so this portion of the User-Agent will be different on your machine). The second part of the User-Agent (Windows XP 6.11) is consistent and can be used as a network signature.

Preference

恶意代码分析实战 Lab 3-2 习题笔记

Lab 3-2的更多相关文章

  1. MIT 6.828 JOS学习笔记18. Lab 3.2 Part B: Page Faults, Breakpoints Exceptions, and System Calls

    现在你的操作系统内核已经具备一定的异常处理能力了,在这部分实验中,我们将会进一步完善它,使它能够处理不同类型的中断/异常. Handling Page Fault 缺页中断是一个非常重要的中断,因为我 ...

  2. MIT 6.828 JOS学习笔记17. Lab 3.1 Part A User Environments

    Introduction 在这个实验中,我们将实现操作系统的一些基本功能,来实现用户环境下的进程的正常运行.你将会加强JOS内核的功能,为它增添一些重要的数据结构,用来记录用户进程环境的一些信息:创建 ...

  3. MIT 6.828 JOS学习笔记16. Lab 2.2

    Part 3 Kernel Address Space JOS把32位线性地址虚拟空间划分成两个部分.其中用户环境(进程运行环境)通常占据低地址的那部分,叫用户地址空间.而操作系统内核总是占据高地址的 ...

  4. MIT 6.828 JOS学习笔记15. Lab 2.1

    Lab 2: Memory Management lab2中多出来的几个文件: inc/memlayout.h kern/pmap.c kern/pmap.h kern/kclock.h kern/k ...

  5. MIT 6.828 JOS学习笔记10. Lab 1 Part 3: The kernel

    Lab 1 Part 3: The kernel 现在我们将开始具体讨论一下JOS内核了.就像boot loader一样,内核开始的时候也是一些汇编语句,用于设置一些东西,来保证C语言的程序能够正确的 ...

  6. MIT 6.828 JOS学习笔记7. Lab 1 Part 2.2: The Boot Loader

    Lab 1 Part 2 The Boot Loader Loading the Kernel 我们现在可以进一步的讨论一下boot loader中的C语言的部分,即boot/main.c.但是在我们 ...

  7. python opencv 利用Lab空间把春天的场景改为秋天

    前一段时间实现了Reinhard颜色迁移算法,感觉挺有意思的,然后在代码上随意做了一些更改,有了一些发现,把Lab通道的a通道值改为127左右,可以将绿色改为黄色,而对其他颜色的改动非常小,因此可以将 ...

  8. Acadia Lab 228 + Lab 222

    又是一对串烧实验,布好线后非常方便就可以一起完成. 连线方案一模一样: Lab 228 数码管骰子 核心代码如下: def loop() : global cnt global btn_read,se ...

  9. Acadia Lab 203 + Lab 231

    在做完 Lab 6 之后,惊觉选做实验缺口很大,于是遍历了一遍夏任务,找到了一条最省力的路线. 做完 Lab 6 的连线不用拆,可以接下来做以下两个实验: Lab 203 网络时钟 核心代码如下: v ...

  10. GJM : 【技术干货】给The Lab Renderer for Unity中地形添加阴影

    感谢您的阅读.喜欢的.有用的就请大哥大嫂们高抬贵手"推荐一下"吧!你的精神支持是博主强大的写作动力以及转载收藏动力.欢迎转载! 版权声明:本文原创发表于 [请点击连接前往] ,未经 ...

随机推荐

  1. Python中的对象行为与特殊方法(二)类型检查与抽象基类

    类型检查 创建类的实例时,该实例的类型为类本身: class Foo(object): pass f = Foo() 要测试实例是否属于某个类,可以使用type()内置函数: >>> ...

  2. QML手动连接信号槽【Connections】

    1.使用Connections import QtQuick 2.6 import QtQuick.Window 2.2 import QtQuick.Controls 1.4 Window { vi ...

  3. ImageView控件有关问题

    了解了一下ImageView控件,这个控件本身及其属性倒没有什么特别之处.只是在看<第一行代码>时,郭大神写到创建drawable-xhdpi文件有些问题,首先先说drawable和mip ...

  4. php的pear编程: phpDocumentor的使用?

    pfc: php基础类库: pecl: php扩展公共库 pear: php extension and application repository. php的扩展和应用库 phar: ['fa:] ...

  5. 百度搜索引擎取真实地址-python代码

    代码 def parseBaidu(keyword, pagenum): keywordsBaseURL = 'https://www.baidu.com/s?wd=' + str(quote(key ...

  6. vue中find函数

    let obj = this.role.find(v => v.code === res.company.role)循环 data对象中的role数组 ,每个数组元素用v代替,code为他的键, ...

  7. ETCD原理

    etcd:从应用场景到实现原理的全方位解读 从etcd的架构开始,深入到源码中解析etcd 1 架构 从etcd的架构图中我们可以看到,etcd主要分为四个部分. HTTP Server: 用于处理用 ...

  8. JAVA之经典算法

    package Set.Java.algorithm; import java.util.Scanner; public class algorithm { /** * [程序1] 题目:古典问题:有 ...

  9. 【Selenium2】【Jenkins】

    1. 下载Tomcat ,Windows7 环境,http://tomcat.apache.org/  我下载的是版本8 2. 下载Jenkins,Windows7 环境,http://jenkins ...

  10. Node内核基本自带模块fs 文件的读写

    在node的内核中存在一些内置的模块 这些是最基本的服务端所必要的 1:node全局环境:global类似于浏览器端的window 2:文件读取模块:fs fs模块同时提供了异步和同步的方法. 'us ...