Lab01-01 Analysis

In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.

Lab01-01.dll Analysis

If we have a look at the “Lab01-01.dll” file’s imports we can see that it uses network functions from “ws2_32.dll”. We can suspect that this file is responsible for network communications to the attacker.
imports-of-dll

But if we have a look at the exports section we see nothing, which is strange.
no-exports-dll

In the DLLMain we can see a ‘CommandLine’ parameter which seems like this DLL is taking a parameter from the attacker.
dll-main

The DLL creates a mutex as “SADFHUHF” to prevent multiple instances.
mutex

It creates a new connection to “127.26.152.13” on port 80, to the attacker.
remote-ip

We can see that this sends the text “hello” to the attacker to notify that the system is infected.
hello

If this malware receives the command “sleep” it’s going to sleep for 393216 milliseconds.
sleep

If the malware receives ‘exec’ it will execute a program using the CreateProcess API. ‘exec PathOfProgram’ would be string from the attacker and the ‘PathOfProgram’ or the ‘CommandLine’ is pushed to the CreateProcess API.

Lab01-01.exe Analysis

We can see this string passed as an argument. This has been done on purpose because if we accidently open this file we will get infected. Without this parameter the malware won’t execute.

WARNING_THIS_WILL_DESTROY_YOUR_MACHINE

warning

At the start we can see that malware opens “kernel32.dll” for reading and it uses APIs such as ‘CreateFileMapping’, ‘MapViewOfFile’ and also reads the “Lab01-01.dll”.

createfileolly

After lots of logic we can see that the “Lab01-01.dll” is copied as “kerne132.dll” to the “C:\windows\system32\” directory. Notice the ‘1’ instead of ‘l’.

copy

In a high level view without going much into every detail of the code, the malware copies all the functions of “kernel32.dll” to the export table of “Lab01-01.dll” and copies into the system32 directory as “kerne132.dll” which acts as a DLL forwarder. It will forward the functions to the real “kernel32.dll”.

After that we can see that “C:\*” , a wildcard is passed to the function 004011E0.

c

If we check the function 004011E0 we can see calls to ‘FindFirstFile’, ‘FindNextFile’ API calls.

findfilea

The function has many logic happening. Basically it searches the whole “C:\” file system for “.exe”.

compare-exe

Once it finds an exe it passes it to another function 004010A0. We can see again ‘CreateFile’, ‘CreateFileMapping’, and ‘MapViewOfFile’ which will map the exe to memory.

createfileolly

Next the malware searches the string “kernel32.dll” and replaces it with “kerne132.dll” in the import directory of the exe. In here ‘REPNE SCAS BYTE PTR ES:[EDI]’ is equal to a strlen and ‘REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]’ is equal to a memcpy operation.

replace-kernel

This is all the malware does to the system. Let’s have a look at the outcome of this malware. Once you run this malware you can see the files it accesses and it looks for *.exe files.

accessing-exes

After infection if we have a look at a sample .exe in the system we can see that if the application had an entry for ‘kernel32.dll’ in the import directory it has been changed to ‘kerne132.dll’.

import-changed

If we have a look at the newly created ‘kerne132.dll’ located at the system32 directory you can see now it has new forwarded exports, which forwards to the original ‘kernel32.dll’. The malware does not change the original system DLL.

new-exports-in-132

As a conclusion this malware will change all the exe’s ‘kernerl32.dll’ value in the import directory to ‘kerne132.dll’ which is a malicious DLL which acts as a forwarder to the original ‘kernel32.dll’ system DLL providing same functionality. Each time the malicious DLL is called the DLLMain is called, thus allowing the attacker to run commands on the system.

Malware analysis is fun, learned a lot of things 🙂

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s