Skip to content

Latest commit

 

History

History
111 lines (69 loc) · 2.7 KB

lab-01-1.md

File metadata and controls

111 lines (69 loc) · 2.7 KB

This post is part of the series of Practical Malware Analysis Exercises.

1) VirusTotal Detections?

Lab01-01.dll

Only one detection, by Commtouch.

  • MD5: 290934c61de9176ad682ffdd65f0a669
  • SHA256: f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba
  • File name: Lab01-01.dll
  • Detection ratio: 1 / 47
  • Analysis date: 2013-11-11 23:33:30 UTC ( 1 day, 6 hours ago )

Lab01-01.exe

No detections.

  • MD5: bb7425b82141a1c0f7d60e5106676bb1
  • SHA256: 58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47
  • File name: Mal01-01.exe
  • Detection ratio: 0 / 47
  • Analysis date: 2013-11-12 12:44:14 UTC ( 17 hours, 39 minutes ago )

2) Compilation Date?

  • Lab01-01.dll:    2010/12/19
  • Lab01-01.exe:    2010/12/19

3) Packed/Obfuscated?

  • Lab01-01.dll:    No indication
  • Lab01-01.exe:    No indication

4) Import Hints?

Imports suggest that the program searches for and copies files, creates processes, and operates over a network. Need more information beyond imports to determine what it does over the network.

Lab01-01.dll

KERNEL32.dll

  • CreateMutexA()
  • CreateProcessA()
  • Sleep()

MSVCRT.dll

  • strncmp()

WS2_32.dll

  • All of these were imported by ordinal

Lab01-01.exe

KERNEL32.dll

  • CopyFileA
  • FindFirstFileA()
  • FindNextFileA()

5) Host Based Indicators?

  1. Existence of kerne132.dll with a 1 instead of an l
  2. The stringWARNING_THIS_WILL_DESTROY_YOUR_MACHINE
  3. The string 127.26.152.13
  4. The strings exec," sleep," hello (commands?)

Lab01-01.dll strings:

000000026018   000010026018      0   sleep
000000026020   000010026020      0   hello
000000026028   000010026028      0   127.26.152.13
000000026038   000010026038      0   SADFHUHF

Lab01-01.exe strings:

000000003010   000000403010      0   kerne132.dll
000000003020   000000403020      0   kernel32.dll
00000000304C   00000040304C      0   C:\windows\system32\kerne132.dll
000000003070   000000403070      0   Kernel32.
00000000307C   00000040307C      0   Lab01-01.dll
00000000308C   00000040308C      0   C:\Windows\System32\Kernel32.dll
000000003010   000000403010      0   kerne132.dll
000000003020   000000403020      0   kernel32.dll
0000000030B0   0000004030B0      0   WARNING_THIS_WILL_DESTROY_YOUR_MACHINE

6) Network Based Indicators?

Communication with 127.26.152.13.

7) Suggested Purpose?

Copies a network enabled DLL to kerne132.dll." Backdoor that calls home to 127.26.152.13, allowing execution of commands hello," sleep," and exec." Attacker can tell the program to sleep, or execute commands on the infected system.