Practical Malware Analysis Lab 1-1

This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below.

1) Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?

We can see that Lab01-01.exe was first submitted to Virustotal on 2012-02-16 07:31:54 and since then it has as 40/66 detection rate:

File name: Lab01-01_exe

SHA256: 58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47

1540198186378

File Lab01-01.dll was first submitted to Virustotal on 2011-07-04 19:57:48 and since then it has as 28/65 detection rate:

File name: Lab01-01.dll

SHA256: f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba

1540198209340

2) When were these files compiled?

Lab01-01.exe: Sun Dec 19 16:16:19 2010

1540198272204.png

Lab01-01.dll: Sun Dec 19 16:16:38 2010

1540198288912

3) Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

No, there’s no indication that either of these files is packed or obfuscated. PEid didn’t report the existence of any packer, both files had a reasonable amount of strings and imports.

4) Do any imports hint at what this malware does? If so, which imports are they?

  • Lab01-01.exe:

    FindFirstFileA and FindNextFileA give us an indication that this Malware might be looking for files.

    CreateFileA suggests that this Malware might create files.

    CopyFileA suggests that this Malware might copy files.

  • Lab01-01.dll:

    CreateProcessA gives the information that this Malware will probably create a Process.

    The Malware imports functions from WS2_32.dll such as socket, connect, send, recv, and closesocket which suggests that this Malware might communicate with a server.

    Also, the Sleep import might indicate that the Malware might wait sometime before executing any malicious activity.

5) Are there any other files or host-based indicators that you could look for on infected systems?

Lab01-01.exe:

This file has the string C:\windows\system32\kerne123.dll. This is probably an attempt to disguise the DLL as the legit kernel32.dll.

Lab01-01.dll:

There are no indicators.

6) What network-based indicators could be used to find this malware on infected machines?

Lab01-01.exe:

There are no indicators.

Lab01-01.dll:

There’s a string containing an IP Address: 127.26.152.13

7) What would you guess is the purpose of these files?

Lab01-01.exe:

The purpose is to run the DLL.

Lab01-01.dll:

Probably a backdoor.