RAGHU ENGINEERING

COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Lab- 4 (7-1)
Analysing Malicious Windows Programs

Q1. How does this program ensure that it continues running (achieves persistence) when the computer is restarted?

By examining the main function of this program, we can see reference to a service name ‘MalService’, a call to start
the Service Control Dispatcher with the service control function sub_401040, and an associated call to a subroutine.

Within this subroutine we can see references to opening the Service Control Manager (SC Manager) and evidence
of a service creation which will be used for persistence.
Pg 1 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Pg 2 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Q2. Why does this program use a mutex?

The program uses a mutex to enmsure that only one instance of the program is running at any one time. The
program attempts to get a handle on the mutex ‘HGL345’, and if it succeeds the program will terminate. If not, it
will create a Mutex with this name.

Pg 3 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Q3. What is a good host-based signature to use for detecting this program?

Detection of this program can be done by checking any host for the hardcoded mutex ‘HGL345’ or by checking
them for any service with the hardcoded name ‘MalService’.

Q4. What is a good network-based signature for detecting this malware?

By examining the looping function of this program, we can see that it uses the User Agent “Internet Explorer 8.0” and
communicates with the URL “http://www.malwareanalysisbook.com” which are network-based indicators which can be
used to identify execution of this program.

Pg 4 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Q5. What is the purpose of this program?

By examining the program’s execution after creating a service for persistence, we can see that it sets up a timer checking for
when the year is 2100 (834h), or midnight on January 1st 2100. At this time it will create 20 (14h) threads and with them
execute the subroutine pointed to by ‘StartAddress’.

This routine attempts to open the URL http://www.malwareanalysisbook.com which leads us to believe that this is some sort
of Denial of Service (DoS) program, which when multiple machines have this setup will cause a DDoS against
http://www.malwareanalysisbook.com

Q6. When will this program finish executing?

Looking back at the looping function mentioned previously, this function has no compare statement, and is an unconditional
jump statement which runs the routine again. Based on this the program will never finish executing.

Pg 5 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Lab- 4 (7-2)
(Analyze the malware found in the file Lab07-02.exe)

Q1. How does this program achieve persistence?

When examining the program, we can’t see any evidence of persistence being created. The program shows no
evidence or strings relating to creation of common persistence mechanisms such as run keys, scheduled tasks,
services, or startup files.

Pg 6 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Q2. What is the purpose of this program?

Based on the program executing OleInitialize, we can infer that this has execution of a COM Object, as this
initialises the COM Library.

By viewing further we can see this indeed creates an object which is then passed execution of the string:
http://www.malwareanalysisbook.com/ad.html

Pg 7 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Based on this we can begin to assume this initialises a COM object (likely Internet Explorer) and uses this to open a URL with
ad.html, which may infer this is associated with an advertisement. By running the executable we can confirm our
assumptions are correct.

Q3. When will this program finish executing?

The program finishes executing after it is run and the webpage is opened. It’s likely this is part of adware which has been
dropped on a users machine, potentially as part of further bundled software or malware.

Pg 8 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Lab- 4 (7-3)
(Analyze the malware found in the files Lab07-03.exe and Lab07-03.dll)

Q1. How does this program achieve persistence to ensure that it continues running when the computer is restarted?

When examining the program and associated DLL we once again cannot see any obvious evidence of persistence;
however there’s some elements which raise suspicions. First off the program shows reference to the DLL supplied
with it (Lab07-03.dll), in addition to a well-known Windows DLL of kernel32.dll.

Pg 9 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

By examining the rest of the application, we can see reference to a similar, yet different DLL name of kerne132.dll, and
reference to the supplied Lab07-03.dll DLL being copied into a file with this name at C:\Windows\System32 before we see a
reference to subdirectories within C:\.

By looking inside the function call to sub_4011E0, within this we can see a statement that indicates files are being checked
within C:\* which was passed to the program.

Pg 10 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

At this point a lot of comparisons and jump statements occur; however, this is of no interest to our analysis. By searching
further within this function, we can see that a comparison occurs that checks if a file is a .exe, and if not a jump occurs.

Pg 11 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Based on this we can infer that something the file system located at C:\ is being recursively checked for .exe files, and if one
is found something occurs. By checking the function sub_4010A0 which runs if the jump is not performed, we can gather
what occurs when an executable file is found. 3 key calls we find are CreateFile, CreateFileMapping, and MapViewOfFil

Pg 12 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Based on this we can infer that if an executable file is located, it is is mapped into memory and can then be modified by this
program. Looking further at the program we can see that it compares kernel32.dll to a location within the executable, and if
it isnt found, it will jump and repeat the process. Where it is found it proceeds to copy a value referenced by dword_403010
over the top of it.

By converting this to an ASCII string using ‘A’ or Edit > Strings > ASCII, we can see that it translates to something more legible.

Pg 13 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

With this we can infer that the program searches for executables recursively within C:\, and when they’re found it will open
them, and directly in memory modify the file to replace any instances of kernel32.dll with kerne132.dll for persistence.
Based on this we can infer the program is a type of file infector and uses the copied kerne132.dll (Lab07-03.dll) for its main
payload. A brief look into Lab07-03.dll confirms that this has some form of C2 function and is likely a malicious implant used
in tandem with this executable.

Q2. What are two good host-based signatures for this malware?

Two good host-based signatures for this malware include the presence of kerne132.dll on disk, and the presence of Mutex
‘SADFHUHF’ which can be found within Lab07-03.dll.

Pg 14 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)

Q3. What is the purpose of this program?

From what we’ve gathered in question 1, we can conclude that this program is a file infector that infects executables on the
system to load a malicious remote access trojan that connects back to the IP 127.26.152[.]13. By examining Lab07-03.dll, we
Pg 15 22981A4615
 RAGHU ENGINEERING
COLLEGE
Autonomous
(Approved by AICTE, New Delhi, Accredited by NBA (CIV, ECE, MECH, CSE), NAAC with ‘A+’ grade
& Permanently Affiliated to JNTU-GV Vizianagaram)
Dakamarri, Bheemunipatnam Mandal, Visakhapatnam Dist. – 531 162 (A.P.)
can conclude that this trojan takes either the command sleep, or exec, which is used to start a process of interest.

Q4. How could you remove this malware once it is installed?

Due to the malware infecting every executable on disk it is very difficult to remove. You could remove the malicious
kerne132.dll from disk; however, it’s likely this will be in use by every process and be unable to be removed. Further if it is
removed during deadbox analysis, it is likely the system will crash when booting due to no variant of kernel32.dll being
present. To remediate you’ll be able to modify kerne132.dll to be the legitimate kernel32.dll, or even change the malware
actions and recompile to instead modify all executables to point to the legitimate kernel32.dll instead of kerne132.dll. As
another resort it may be easier to rebuild the system or restore from backup.

Pg 16 22981A4615