Practical Malware Analysis Lab 1-1

1. VirusTotal.com did not detect any exisiting antivirus signatures in the DLL or the EXE. I imagine that is because these are custom made files for this book, and not something that has been detected ‘in the wild.’

2. I am using a Kali machine, and had some trouble unpacking the lab files. I successfully unpacked from .7z to .exe, but something in Kali’s GUI can’t deal with self extracting .exes and the files that were extracted were all 0 bytes. This post helped me. I also needed to use the CLI version of PEView called pev. By running the command

readpe -A Lab01-01.dll

I was able to pick out the date/time stamp of December 19, 2010 at 16:16:19 UTC for the EXE file and December 19, 2010 at 16:16:38 for the DLL file. It is likely not a Delphi program based on this date. The two files were effectively created at the same time. (Unless the writer faked the compile times.)

3. I ran the command

pestr Lab01-01.dll

to view strings. Both the DLL file and EXE file contain a reasonable number of strings. Running the command

pepack Lab01-01.dll

for the EXE and DLL returned that the packer for both files was Microsoft Visual C++. I’m not sure that really counts as a packer/obfuscator. Based on the results of these commands, I don’t see any evidence of packing or obfuscation.

4. To look at the imports, I used command

readpe -i Lab01-01.dll

The DLL file imported processes from Kernel32.dll that indicate the program can open and manipulate processes (CreateProcessA.) It also imports the sleep function, which probably means the program’s execution is capable of being suspended. There are functions (listed by ordinal) that are from WS2_32.dll, which although not named, probably indicate the program has some degree of network functionality. The EXE file can create files (CreateFileA) and copy files (CopyFileA.) It can search through directories (FindNextFileA, FindFirstFileA).

5. I found two strings in the EXE that are noteworthy:

pestr Lab01-01.dll

WARNING_THIS_WILL_DESTROY_YOUR_MACHINE (duh), kerne132.dll, and C:\windows\system32\kerne132.dll. This erroneous spelling of kernel could be used to find the program in other locations. It probably was written like this to appear innocuous.

6. The DLL file has the IP address 127.26.152.13 appear as a string. It could be the origin or destination of some type of communication.

7. My best guess is some type of backdoor access. It gets into the machine, and opens up communication with an unintended party. Whether the intention is for reconnaissance or for remote file execution, I don’t know.

Leave a comment

Your email address will not be published.