Skip to content

Latest commit

 

History

History
100 lines (69 loc) · 2.63 KB

lab-01-4.md

File metadata and controls

100 lines (69 loc) · 2.63 KB

This post is part of the series of Practical Malware Analysis Exercises.

1) VirusTotal Detections?

**Lab01-04.exe **

  • MD5: 625ac05fd47adc3c63700c3b30de79ab
  • SHA256: 0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126
  • File name: Lab01-04.exe
  • Detection ratio: 38 / 47
  • Analysis date:  2013-11-12 06:07:53 UTC ( 1 day, 1 hour ago )

2) Packed/Obfuscated?

Yes.

PEiD: Armadillo v1.71

3) Compile Date?

The executable's compile date is in the future, but the resource's compile date gave it away.

Executable: 2019-08-30 22:26:59 Resource: 2011-02-27 00:16:59

4) Import Hints?

Manipulates process privileges, creates files and threads, loads resources and modules. Likely extracts the resource and loads it.

ADVAPI32.dll

  • AdjustTokenPrivileges
  • LookupPrivilegeValueA
  • OpenProcessToken

KERNEL32.dll

  • CreateRemoteThread
  • MoveFileA
  • SizeofResource
  • LoadResource
  • GetModuleHandleA
  • OpenProcess
  • GetWindowsDirectoryA
  • WriteFile
  • GetCurrentProcess
  • CreateFileA
  • GetProcAddress
  • FindResourceA
  • LoadLibraryA
  • WinExec

5) Host/Network Based Indicators?

  1. URL: http://www.practicalmalwareanalysis.com/updater.exe
  2. File: C:\WINDOWS\system32\wupdmgrd.exe
  3. File: C:\WINDOWS\system32\wupdmgrd.exe
  4. File: winup.exe

Strings:

000000003010   000000403010      0   winlogon.exe
000000003020   000000403020      0   <not real>
00000000302C   00000040302C      0   SeDebugPrivilege
000000003040   000000403040      0   sfc_os.dll
00000000304C   00000040304C      0   \system32\wupdmgr.exe
000000003078   000000403078      0   EnumProcessModules
00000000308C   00000040308C      0   psapi.dll
000000003098   000000403098      0   GetModuleBaseNameA
0000000030AC   0000004030AC      0   psapi.dll
0000000030B8   0000004030B8      0   EnumProcesses
0000000030C8   0000004030C8      0   psapi.dll
0000000030D4   0000004030D4      0   \system32\wupdmgr.exe
0000000030F4   0000004030F4      0   \winup.exe
000000007070   000000407070      0   \winup.exe
000000007084   000000407084      0   \system32\wupdmgrd.exe
0000000070A4   0000004070A4      0   http://www.practicalmalwareanalysis.com/updater.exe

Could download http://www.practicalmalwareanalysis.com/updater.exe and analyze that.

6) Resources?

The resource is an executable. Found the same strings used. The imports suggest it downloads and runs additional executables.

Imports:

  • KERNEL32.WinExec
  • URLMON.URLDownloadToFileA