Use Lab01-01.exe and Lab01-01.dll for this exercise
- Upload the files to VirusTotal.com. Do the files have any existing AV signatures?
Yes.
- When were these files compiled?
Lab01-01.exe: 12/19/2019 Sun 16:16:19 UTC
Lab01-01.dll: 12/19/2019 Sun 16:16:38 UTC
Both can be found via PEview. IMAGE_NT_HEADERS --> IMAGE_FILE_HEADER --> Time Date Stamp
- Are there any indicators that any of these files are packed or obfuscated? If so, what are these indicators?
Lab01-01.exe: According to PEiD, it is not packed. The sizes are not too far off.
Lab01-01.dll: Acoording to PEiD, it is not packed. The sizes are not too far off either.
Both files have very few imports but that makes sense due to the sizes of the files.
- Do any imports hint at what this malware does? If so, which imports are they?
Lab01-01.exe: There is kernel32.dll, which is highly privileged and unsafe. kerne123.dll (notice the typo) CopyFileA, FindFirstFileA, etc indicate that it interacts with the filesystem in some way.
Lab01-01.dll: Imports ws2_32.dll possible low-level network interaction. Interacts with sockets. There is an IP address as a hard coded string 127.26.152.13, allows main .exe to create new processes.
- Are there any other files or host-based indicators that you could look for on infected systems?
Any connections to the IP: 127.26.152.13, look for kerne132.dll in the system.
- What network-based indicators could be used to find this malware on infected system.
Any connections to the IP: 127.26.152.13
- What would you guess is the purpose of these files
Data exfilration/Backdoor
Work with Lab01-02.exe
- Upload the file to Virus Total. What are the results?
Identified as malware.
- Are there any indicators that the file is packed or obfuscated? Unpack it if possible.
Very possibly packed. Probably UPX. (According to PEiD, PE Detective, and Detect-It-Easy)
Unpacking it via UPX seems to work.
- Do any of the imports hint at this program's functionality? If so, which imports are they and what do they tell you?
wininet.dll suggests high-level network interaction (i.e. ftp) ADVAPI32.dll shows that the program is able to create services and manage them. possibly as means of persistence (CreateServiceA)
Gets filenames via GetModuleFileName function.
References the URL: http://malwareanalysisbook, in addition to the wininet.dll function: InternetOpenUrl
- What host- or network-based indicators could be used to indentify this malware on infected machines?
Network activity possibly HTTP from the binary. The creation of a bogus service with the name MalService. Opening Internet Explorer 8.0 with the aforementioned URL.
Work with Lab01-03.exe
- Upload the file to Virus Total. What do you see?
Yep, definitely malware.
- Are there any indicators that the file is packed or obfuscated? Unpack it if possible.
Very likely to be packed. But this time it is definitely not UPX. Very few imports: only LoadLibraryA and GetProcAddress which is a major indicator of a packer being involved.
- Do any of the imports hint at this program's functionality? If so, which imports are they and what do they tell you?
The imports dont tell me anything.. except it is a packed binary.
- What host- or network-based indicators could be used to indentify this malware on infected machines?
Very hard to tell without further analysis i.e. dynamic.
Work with Lab01-04.exe
- Upload to Virus Total, what do the results how?
Oh no its malware.
- Are there any indicators that the file is packed or obfuscated? Unpack it if possible.
PEiD says its not packed. No big difference between virtual size and raw data size
- When was this program compiled?
Pretty recently... but considering when the book was published, the binary has been spoofed.
- Do any of the imports hint at this program's functionality? If so, which imports are they and what do they tell you?
It calls other DLLs due to the existence of GetProcAddress and LoadLibraryA. Moves files with MoveFileA. FindResourceA indicates that it might pool from the .rsrc section. urlmon.dll looks interesting.
- What host- or network-based indicators could be used to indentify this malware on infected machines?
A strings output shows a URL: http://www.practicalmalwareanalysis.com/updater.exe
It downloads a fake "updater" and pretends to be winup.exe/wupdmgr.exe, hence the utilization of temporary folder.