In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.
- Lab01-01.dll – https://virustotal.com/en/file/f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba/analysis/
- Lab01-01.exe https://virustotal.com/en/file/58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47/analysis/
Lab01-01.dll Analysis
If we have a look at the âLab01-01.dllâ fileâs imports we can see that it uses network functions from âws2_32.dllâ. We can suspect that this file is responsible for network communications to the attacker.
But if we have a look at the exports section we see nothing, which is strange.
In the DLLMain we can see a âCommandLineâ parameter which seems like this DLL is taking a parameter from the attacker.
The DLL creates a mutex as âSADFHUHFâ to prevent multiple instances.
It creates a new connection to â127.26.152.13â on port 80, to the attacker.
We can see that this sends the text âhelloâ to the attacker to notify that the system is infected.
If this malware receives the command âsleepâ itâs going to sleep for 393216 milliseconds.
If the malware receives âexecâ it will execute a program using the CreateProcess API. âexec PathOfProgramâ would be string from the attacker and the âPathOfProgramâ or the âCommandLineâ is pushed to the CreateProcess API.
Lab01-01.exe Analysis
We can see this string passed as an argument. This has been done on purpose because if we accidently open this file we will get infected. Without this parameter the malware wonât execute.
WARNING_THIS_WILL_DESTROY_YOUR_MACHINE
At the start we can see that malware opens âkernel32.dllâ for reading and it uses APIs such as âCreateFileMappingâ, âMapViewOfFileâ and also reads the âLab01-01.dllâ.
After lots of logic we can see that the âLab01-01.dllâ is copied as âkerne132.dllâ to the “C:\windows\system32\” directory. Notice the â1â instead of âlâ.
In a high level view without going much into every detail of the code, the malware copies all the functions of âkernel32.dllâ to the export table of âLab01-01.dllâ and copies into the system32 directory as âkerne132.dllâ which acts as a DLL forwarder. It will forward the functions to the real âkernel32.dllâ.
After that we can see that âC:\*â , a wildcard is passed to the function 004011E0.
If we check the function 004011E0 we can see calls to âFindFirstFileâ, âFindNextFileâ API calls.
The function has many logic happening. Basically it searches the whole âC:\â file system for â.exeâ.
Once it finds an exe it passes it to another function 004010A0. We can see again âCreateFileâ, âCreateFileMappingâ, and âMapViewOfFileâ which will map the exe to memory.
Next the malware searches the string âkernel32.dllâ and replaces it with âkerne132.dllâ in the import directory of the exe. In here âREPNE SCAS BYTE PTR ES:[EDI]â is equal to a strlen and âREP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]â is equal to a memcpy operation.
This is all the malware does to the system. Letâs have a look at the outcome of this malware. Once you run this malware you can see the files it accesses and it looks for *.exe files.
After infection if we have a look at a sample .exe in the system we can see that if the application had an entry for âkernel32.dllâ in the import directory it has been changed to âkerne132.dllâ.
If we have a look at the newly created âkerne132.dllâ located at the system32 directory you can see now it has new forwarded exports, which forwards to the original âkernel32.dllâ. The malware does not change the original system DLL.
As a conclusion this malware will change all the exeâs âkernerl32.dllâ value in the import directory to âkerne132.dllâ which is a malicious DLL which acts as a forwarder to the original âkernel32.dllâ system DLL providing same functionality. Each time the malicious DLL is called the DLLMain is called, thus allowing the attacker to run commands on the system.
Malware analysis is fun, learned a lot of things đ
