Open in app

Sign in

Write

Sign in

My Journey so far with Malware's

Soumyadeep Basu
9 min readJan 30, 2020

--

Over the past week I have fallen in love with Malwares and have started reading this awesome book by Michael Sikorsi and Andrew Honig.

First I decided to cover a significant part of the theory and only then take up the labs. But then usually I have college classes during the day and I don’t get time except weekends. So today I decided I gonna pull off an All-Nighter and walk-through one of the labs.In this article I will cover Lab 5–1 in which we will dissect a .dll malware using IDA Pro.

Binary samples are available here.

Analyze the malware found in the file Lab05–01.dll using only IDA Pro. The
goal of this lab is to give you hands-on experience with IDA Pro. If you’ve
already worked with IDA Pro, you may choose to ignore these questions and
focus on reverse-engineering the malware.

1. What is the address of dllMain?

Dll Main is an optional entry point function into a dynamic-link library (DLL). When the system starts or terminates a process or thread, it calls the entry-point function for each loaded DLL using the first thread of the process.

We use the function window’s Quick Filter option and search for the keyword ‘Main’ and we get the DLL Main function.

We can see that the DLLMain is at 0x1000CF30, in the .text section.

2. Use the Imports window to browse to gethostbyname. Where is the import located?

The gethostbyname function imported from the WS2_32 library retrieves host information corresponding to a hostname from a host database.

The import is located at the address 0x100163CC in the .idata section

3. How many functions call gethostbyname?

To get xref-s corresponding to the function gethostbyname we select the function and then Ctrl+X

We have 9 calls to gethostbyname after filtering duplicate call entries differing in type.

4. Focusing on the call to gethostbyname located at 0x10001757, can you figure out which DNS request will be made?

The DNS request made will be:

pics.praticalmalwareanalysis.com

If we look at the instruction @0x1000174E we are basically making eax point to the string “[THIS IS RDO]pics.praticalmalwareanalysis.com” in memory at 0x10019040.

The next instruction adds 13 to the character pointer which now points at the actual domain string which is pics.praticalmalwareanalysis.com

5. How many local variables has IDA Pro recognized for the subroutine at
0x10001656?

Since stack grows towards lower memory addresses for local variables we need to take into consideration all those variables with a negative offset.

23 local variables

6. How many parameters has IDA Pro recognized for the subroutine at 0x10001656?

Only 1 with an positive offset

7. Use the Strings window to locate the string “\cmd.exe /c” in the disassembly.Where is it located?

The given string was located at 0x10095B34 in the xdoors_d section.

8. What is happening in the area of code that references \cmd.exe /c?

The command “cmd.exe /c [Command]” is used to run the given Command in a command line and then terminate it.

The CommandLine variable creates a process with Destination appended to the variable.This means that an attacker wants to connect to the host and send commands to be executed in cmd.exe leading to RCE.

The call to the recv function suggests that host is waiting for commands from the attacker machine.

9. In the same area, at 0x100101C8, it looks like dword_1008E5C4 is a global variable that helps decide which path to take. How does the malware set dword_1008E5C4? (Hint: Use dword_1008E5C4’s cross-references.)

In accordance with MSDN Win32 Api documentation (link here) we see that the global variable dword_1008E5C4 is set by the following function @ 0x10003695

VersionInformation.dwPlatformId is compared to 2 and if equal sets the global variable equal to 1.

This implies the OS must be one of Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP, or Windows 2000.

10. A few hundred lines into the subroutine at 0x1000FF58, a series of comparisons use memcmp to compare strings. What happens if the string comparison to robotwork is successful (when memcmp returns 0)?

The function at 0x100052A2 is executed when string comparison
to robotwork is successful.

The registry key “SOFTWARE\Microsoft\Windows\CurrentVersion” is opened.

The registry value “WorkTime” will be queried. If found the result will be sent to the attacker machine via the Send function else the registry value “WorkTimes” will be queried and sent via the same function.

Finally “RegCloseKey” closes the handle to the specified registry key.

To summarize these registry values are queried

SOFTWARE\Microsoft\Windows\CurrentVersion\WorkTime” & “SOFTWARE\Microsoft\Windows\CurrentVersion\WorkTimes” and the results (integer value) are sent via the network (send function).

11. What does the export PSLIST do?

First PSList checks if the OS Platform Id is VER_PLATFORM_WIN32_NT and then if Windows Version is ≥ Windows XP

Next it checks whether a String argument ‘Str’ is passed or not by checking strlen(Str)!=0. The Str argument is expected to be a Process Name.

If the ‘Str’ argument is present:

The function a snapshot of the specified process, as well as the heaps, modules, and threads used by these processes using CreateToolhelp32SnapShot and sends Process ID, Process Name and all other information about the process encountered using Process32First() on the host machine via Send function.

Now suppose ‘Str’ argument is not present:

It will again take a snapshot of all running processes and sends out process information via the network.

12. Use the graph mode to graph the cross-references from sub_10004E79.
Which API functions could be called by entering this function? Based on
the API functions alone, what could you rename this function?

We use the x-ref graphs from option on the sub_10004E79 and get

The functions GetSystemDefaultLangID , Send Data and other functions are called which suggests that it is trying to extract the system default language and send this information across the network.

Renamed to => SendSystemLanguage

13. How many Windows API functions does DLLMain call directly? How many at a depth of 2?

Using the graphs feature “use x-refs chart” we can see what functions are directly directly called by dll Main

Functions strncpy,strnicmp, strlen, CreateThread are called directly. Whereas at a depth of 2 various other functions are called.

14. At 0x10001358, there is a call to Sleep (an API function that takes one
parameter containing the number of milliseconds to sleep). Looking
backward through the code, how long will the program sleep if this code
executes?

Initially eax points to the string “[This is CTI]30” in memory. Then 13 (0xD) is added to it that makes it point to “30”. atoi function is used to convert character into integer.It is then multiplied by 1000. So now eax contains 30000, which stands for 30000 milliseconds which is passed to the Sleep function. Thus the program will sleep for 30 seconds.

15. At 0x10001701 is a call to socket. What are the three parameters?

The socket function creates a socket that is bound to a specific transport service provider. According to msdn documentation the syntax is:

SOCKET WSAAPI socket( int af,int type,int protocol );

Navigating to 0x10001701 we see three parameters pushed onto the stack.

  • af → 2(AF_INET) ie The IPv4 address family.
  • type → 1 ie Sock Stream
  • protocol → 6 ie TCP

16. Using the MSDN page for socket and the named symbolic constants functionality in IDA Pro, can you make the parameters more meaningful?
What are the parameters after you apply changes?

17. Search for usage of the in instruction (opcode 0xED). This instruction is
used with a magic string “VMXh” to perform VMware detection. Is that in use in this malware? Using the cross-references to the function that executes the in instruction, is there further evidence of VMware detection?

We searched for sequence of bytes ‘ED’ and we came across this:

Opening up the subroutine, we find interesting stuff with relation to VMXh; VMware detection.

If we check the x-references to sub_10006196 we see that three export functions InstallRT, InstallSA, InstallSB calls this VMWare detection function. We see that value is moved into EAX, so indeed, this malware uses VMWare detection.

18. Jump your cursor to 0x1001D988. What do you find?

We see a bunch of gibberish characters.

19. If you have the IDA Python plug-in installed (included with the commercial version of IDA Pro), run Lab05–01.py, an IDA Pro Python script provided with the malware for this book. (Make sure the cursor is at
0x1001D988.) What happens after you run the script?

After the script is run we are able to view some legible words

20. With the cursor in the same location, how do you turn this data into a
single ASCII string?

Pressing the ‘A’ key.

21. Open the script with a text editor. How does it work?

sea = ScreenEA()for i in range(0x00,0x50):
        b = Byte(sea+i)
        decoded_byte = b ^ 0x55
        PatchByte(sea+i,decoded_byte)

ScreenEA() gets the segment’s starting address but the author says that it grabs the location of the cursor :)

Next it goes through 80 bytes and xor’s each character of the string with 0x55. Finally it calls PatchByte, which will modify what we see, but not modify the file.

‣‣‣You just read frostbite. Hope you enjoyed it…

Malware
Malware Analysis
Malwarebytes

--

--

Soumyadeep Basu
Soumyadeep Basu

Written by Soumyadeep Basu

149 Followers
121 Following

CTF 🚩 ● Hack the Box ● CyberSec Enthusiast ● Snooker Addict

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams