In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.
- Lab01-01.dll – https://virustotal.com/en/file/f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba/analysis/
- Lab01-01.exe https://virustotal.com/en/file/58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47/analysis/
If we have a look at the “Lab01-01.dll” file’s imports we can see that it uses network functions from “ws2_32.dll”. We can suspect that this file is responsible for network communications to the attacker.
If the malware receives ‘exec’ it will execute a program using the CreateProcess API. ‘exec PathOfProgram’ would be string from the attacker and the ‘PathOfProgram’ or the ‘CommandLine’ is pushed to the CreateProcess API.
We can see this string passed as an argument. This has been done on purpose because if we accidently open this file we will get infected. Without this parameter the malware won’t execute.
At the start we can see that malware opens “kernel32.dll” for reading and it uses APIs such as ‘CreateFileMapping’, ‘MapViewOfFile’ and also reads the “Lab01-01.dll”.
After lots of logic we can see that the “Lab01-01.dll” is copied as “kerne132.dll” to the “C:\windows\system32\” directory. Notice the ‘1’ instead of ‘l’.
In a high level view without going much into every detail of the code, the malware copies all the functions of “kernel32.dll” to the export table of “Lab01-01.dll” and copies into the system32 directory as “kerne132.dll” which acts as a DLL forwarder. It will forward the functions to the real “kernel32.dll”.
After that we can see that “C:\*” , a wildcard is passed to the function 004011E0.
If we check the function 004011E0 we can see calls to ‘FindFirstFile’, ‘FindNextFile’ API calls.
The function has many logic happening. Basically it searches the whole “C:\” file system for “.exe”.
Once it finds an exe it passes it to another function 004010A0. We can see again ‘CreateFile’, ‘CreateFileMapping’, and ‘MapViewOfFile’ which will map the exe to memory.
Next the malware searches the string “kernel32.dll” and replaces it with “kerne132.dll” in the import directory of the exe. In here ‘REPNE SCAS BYTE PTR ES:[EDI]’ is equal to a strlen and ‘REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]’ is equal to a memcpy operation.
This is all the malware does to the system. Let’s have a look at the outcome of this malware. Once you run this malware you can see the files it accesses and it looks for *.exe files.
After infection if we have a look at a sample .exe in the system we can see that if the application had an entry for ‘kernel32.dll’ in the import directory it has been changed to ‘kerne132.dll’.
If we have a look at the newly created ‘kerne132.dll’ located at the system32 directory you can see now it has new forwarded exports, which forwards to the original ‘kernel32.dll’. The malware does not change the original system DLL.
As a conclusion this malware will change all the exe’s ‘kernerl32.dll’ value in the import directory to ‘kerne132.dll’ which is a malicious DLL which acts as a forwarder to the original ‘kernel32.dll’ system DLL providing same functionality. Each time the malicious DLL is called the DLLMain is called, thus allowing the attacker to run commands on the system.
Malware analysis is fun, learned a lot of things 🙂