Lab01-01 Analysis

In my leisure time I like reading the book Practical Malware Analysis and I thought of sharing my analysis in the practical sections. You can find detailed answers in the book as well.

  • Lab01-01.dll –
  • Lab01-01.exe

Lab01-01.dll Analysis

If we have a look at the “Lab01-01.dll” file’s imports we can see that it uses network functions from “ws2_32.dll”. We can suspect that this file is responsible for network communications to the attacker.

But if we have a look at the exports section we see nothing, which is strange.

In the DLLMain we can see a ‘CommandLine’ parameter which seems like this DLL is taking a parameter from the attacker.

The DLL creates a mutex as “SADFHUHF” to prevent multiple instances.

It creates a new connection to “” on port 80, to the attacker.

We can see that this sends the text “hello” to the attacker to notify that the system is infected.

If this malware receives the command “sleep” it’s going to sleep for 393216 milliseconds.

If the malware receives ‘exec’ it will execute a program using the CreateProcess API. ‘exec PathOfProgram’ would be string from the attacker and the ‘PathOfProgram’ or the ‘CommandLine’ is pushed to the CreateProcess API.

Lab01-01.exe Analysis

We can see this string passed as an argument. This has been done on purpose because if we accidently open this file we will get infected. Without this parameter the malware won’t execute.



At the start we can see that malware opens “kernel32.dll” for reading and it uses APIs such as ‘CreateFileMapping’, ‘MapViewOfFile’ and also reads the “Lab01-01.dll”.


After lots of logic we can see that the “Lab01-01.dll” is copied as “kerne132.dll” to the “C:\windows\system32\” directory. Notice the ‘1’ instead of ‘l’.


In a high level view without going much into every detail of the code, the malware copies all the functions of “kernel32.dll” to the export table of “Lab01-01.dll” and copies into the system32 directory as “kerne132.dll” which acts as a DLL forwarder. It will forward the functions to the real “kernel32.dll”.

After that we can see that “C:\*” , a wildcard is passed to the function 004011E0.


If we check the function 004011E0 we can see calls to ‘FindFirstFile’, ‘FindNextFile’ API calls.


The function has many logic happening. Basically it searches the whole “C:\” file system for “.exe”.


Once it finds an exe it passes it to another function 004010A0. We can see again ‘CreateFile’, ‘CreateFileMapping’, and ‘MapViewOfFile’ which will map the exe to memory.


Next the malware searches the string “kernel32.dll” and replaces it with “kerne132.dll” in the import directory of the exe. In here ‘REPNE SCAS BYTE PTR ES:[EDI]’ is equal to a strlen and ‘REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]’ is equal to a memcpy operation.


This is all the malware does to the system. Let’s have a look at the outcome of this malware. Once you run this malware you can see the files it accesses and it looks for *.exe files.


After infection if we have a look at a sample .exe in the system we can see that if the application had an entry for ‘kernel32.dll’ in the import directory it has been changed to ‘kerne132.dll’.


If we have a look at the newly created ‘kerne132.dll’ located at the system32 directory you can see now it has new forwarded exports, which forwards to the original ‘kernel32.dll’. The malware does not change the original system DLL.


As a conclusion this malware will change all the exe’s ‘kernerl32.dll’ value in the import directory to ‘kerne132.dll’ which is a malicious DLL which acts as a forwarder to the original ‘kernel32.dll’ system DLL providing same functionality. Each time the malicious DLL is called the DLLMain is called, thus allowing the attacker to run commands on the system.

Malware analysis is fun, learned a lot of things 🙂

Leave a Reply