Lab 1-4

Analyze the file Lab01-04.exe.

Questions and Short Answers

1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

   A: As of this writing, 16 of 43 antivirus engines identify this as malicious code that downloads and/or drops additional malware onto a system.

   

   注：在写这篇博客时的数据是 69 反病毒引擎里面 54 个是反病毒签名。

2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

   A: There are no indications that the file is packed or obfuscated.

3. When was this program compiled?

   A: According to the file header, this program was compiled in August 2019. Clearly, the compile time is faked, and we can’t determine when the file was compiled.

   • PEview 查看的结果如下：

     

     本该在箭头处显示，却为空。（应该是我的软件版本自身的问题，因为要打开 IMAGE_FILE_HEADER 时，会弹出警告：可能会出现有些条目不能显示。）

     

   • 在 VT（http://www.VirusTotal.com/）中查看的结果如下：

     

4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

   A: The imports from advapi32.dll indicate that the program is doing something with permissions. The imports from WinExec and WriteFile, along with the results from VirusTotal.com, tell us that the program writes a file to disk and then executes it. There are also imports for reading information from the resource section of the file.

   

   AdjustTokenPrivileges function

   LookupPrivilegeValueA function

   

5. What host- or network-based indicators could be used to identify this malware on infected machines?

   A: The string \system32\wupdmgr.exe indicates that this program could create or modify a file at that location. The string www.malwareanalysisbook.com/ updater.exe probably indicates where additional malware is stored, ready for download.

   

   注：利用 IDA -> View -> Opensubviews -> Strings 没有找到要查找的线索。但是书中的方法可以找到。

   

   注：翻译版书1.3 查找字符串（英文版书，Part 1: Basic Analysis -> Finding Strings）

   步骤：

   1. 下载Strings（英文原版书提供的链接好使，翻译版失效。）
   2. cmd -> 进入下载的strings.exe可执行文件所在文件夹 -> 使用 strings 命令查看

6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

   A: The resource section contains another PE executable. Use Resource Hacker to save the resource as binary data, and then analyze the binary file as you would analyze any executable. The executable in the resource section is a downloader program that downloads additional malware.

Detailed Analysis

For the Lab01-04.exe file, the results from VirusTotal.com suggest a program related to a downloader. PEview gives no indication that the file is packed or obfuscated.

注：在写这篇博客时的数据是 68 反病毒引擎里面 56 个是反病毒签名。分析结果显示很大部分的引擎显示这很可能是一个木马下载后门软件。

The imports from advapi32.dll tell us that program does something with permissions, and we can assume that it tries to access protected files using special permissions. The imports from kernel32.dll tell us that the program loads data from the resource section (LoadResource, FindResource, and SizeOfResource), writes a file to disk (CreateFile and WriteFile), and executes a file on the disk (WinExec). We can also guess that the program writes files to the system directory because of the calls to GetWindowsDirectory.

AdjustTokenPrivileges说明这个函数可以通过令牌的方式确保只运行一个进程在系统中；

LookupPrigilegeValueA说明这个程序可以去查找用户的登录信息等系统敏感信息。

KERNEL32.DLL导入了CreateFileA和MoveFileA这个函数，说明它可以创建一个文件和移动一个文件；

还有CreateRemoteThread说明这个函数会在一个远程进程(Remote Process)里面创建一个自己的远程线程(Remote Thread)来运行恶意代码；

还有FindResourceA、LoadResource和SizeofResourse这个函数，说明它在查找资源节的内容；

GetCurrentProcess和OpenProcess这个是获得想要获得进程的文件描述符，也是为了操作远程的进程；

值得注意的是GetTempPathA这个函数，这说明这恶意代码可能会使用Temp目录。

WinExec说明这个程序可以运行另一个程序代码。

Examining the strings, we see www.malwareanalysisbok.com/updater.exe, which is probably the location that holds the malicious code for download. We also see the string \system32\wupdmgr.exe, which, in combination with the call to GetWindowsDirectory, suggests that a file in C:\Windows\System32 wupdmgr.exe is created or edited by this malware.

We now know with some confidence that this malicious file downloads new malware. We know where it downloads the malware from, and we can guess where it stores the downloaded malware. The only thing that’s odd is that the program doesn’t appear to access any network functions.

The most interesting part of this malware is the resource section. When we open this malware in Resource Hacker, we see one resource. Resource Hacker identifies the type of the resource as binary, meaning arbitrary binary data, and when we look at the data, most of it is meaningless. But notice the string !This program cannot be run in DOS mode. This string is the error message included in the DOS header at the beginning of all PE files. We can therefore conclude that this resource is an additional executable file stored in the resource section of Lab01-04.exe. This is a fairly common technique used in malware.

注：Resource Hacker

To continue analyzing this file with Resource Hacker, we click Action -> Save resource as binary file. After saving the resource, we open the file in PEview to analyze the file embedded within it. Looking at the imports, we see that the embedded file is the one that accesses the network functions. It calls URLDownloadToFile, a function commonly used by malicious downloaders. It also calls WinExec, which probably executes the downloaded file.

注：未经过 Resource Hacker 处理，使用 PEview 没有看到 URLDownloadToFileA 函数，urlmon.dll 库也没有显示。

Preference

恶意代码分析实战 Lab 1-4习题笔记