Lab 1-4

Analyze the file Lab01-04.exe.

1) Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

File name: Lab01-04.exe

SHA256: 0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126

1540222861663.png

2) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

No. PEid returns Microsoft Visual C++ 6.0 as the Compiler. Also, there is a reasonable amount of Imports and there are a lot of Strings.

3) When was this program compiled?

The compiler stamp value is Fri Aug 30 23:26:59 2019. This field was clearly forged.

4) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

This Malware will possibly write a file to disk and execute it (WriteFile, CreateFileA, MoveFileA, GetTempPathA and WinExec). There are also imports that suggest that the file will search for something in the Resources section (FindResourseA, LoadResource)

5) What host- or network-based indicators could be used to identify this malware on infected machines?

Looking for Host indicators in the strings we can see “\system32\wupdmgrd.exe”, hinting that the Malware possibly creates or modifies this file. Regarding network-based indicators, we can see “http://www.practicalmalwareanalysis.com/updater.exe”, possibly a file downloaded by the malware.

6) This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

Looking at Resource Hacker we can see that the resource is an executable file.

1540223016402.png

Uploading it to VirusTotal we obtain the following result:

Filename: test

SHA256: 819b2db1876d85846811799664d512b2f1af13e329f5debe60926c3b03424745

1540223053803

This file has two particularly interesting Imports: URLDownloadToFileA hints at a possible downloader behavior and WinExec suggests that the downloaded file may be executed upon download completion. Looking at the strings we can observe once again “http://practicalmalwareanalysis.com/updater.exe” and “\system32\wupdmgrd.exe”.

Advertisements