lab-03-2.md

This post is part of the series of Practical Malware Analysis Exercises.

1) How can it be installed?

Found the export Install in the DLL. Ran the following command:

rundll32.exe Lab03-02.dll, Install

Ran RegShot before and after, then compared. The results show that a service named IPRIP was added, specifically the new registry key HKLM\SYSTEM\ControlSet001\Services\IPRIP.

----------------------------------
Keys added: 7
----------------------------------
HKLM\SYSTEM\ControlSet001\Services\IPRIP
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Security
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Security
HKU\S-1-5-21-1957994488-1708537768-839522115-1003\Software\Sysinternals\PsService

----------------------------------
Values added: 22
----------------------------------
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Type: 0x00000020
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Start: 0x00000002
HKLM\SYSTEM\ControlSet001\Services\IPRIP\ErrorControl: 0x00000001
HKLM\SYSTEM\ControlSet001\Services\IPRIP\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
HKLM\SYSTEM\ControlSet001\Services\IPRIP\DisplayName: "Intranet Network Awareness (INA+)"
HKLM\SYSTEM\ControlSet001\Services\IPRIP\ObjectName: "LocalSystem"
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Description: "Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes."
HKLM\SYSTEM\ControlSet001\Services\IPRIP\DependOnService:  52 70 63 53 73 00 00
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll: "C:\Documents and Settings\user\Desktop\go\Lab03-02.dll"
HKLM\SYSTEM\ControlSet001\Services\IPRIP\Security\Security:  01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Type: 0x00000020
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Start: 0x00000002
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ErrorControl: 0x00000001
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ImagePath: "%SystemRoot%\System32\svchost.exe -k netsvcs"
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\DisplayName: "Intranet Network Awareness (INA+)"
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\ObjectName: "LocalSystem"
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Description: "Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes."
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\DependOnService:  52 70 63 53 73 00 00
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Parameters\ServiceDll: "C:\Documents and Settings\user\Desktop\go\Lab03-02.dll"
HKLM\SYSTEM\CurrentControlSet\Services\IPRIP\Security\Security:  01 00 14 80 90 00 00 00 9C 00 00 00 14 00 00 00 30 00 00 00 02 00 1C 00 01 00 00 00 02 80 14 00 FF 01 0F 00 01 01 00 00 00 00 00 01 00 00 00 00 02 00 60 00 04 00 00 00 00 00 14 00 FD 01 02 00 01 01 00 00 00 00 00 05 12 00 00 00 00 00 18 00 FF 01 0F 00 01 02 00 00 00 00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 8D 01 02 00 01 01 00 00 00 00 00 05 0B 00 00 00 00 00 18 00 FD 01 02 00 01 02 00 00 00 00 00 05 20 00 00 00 23 02 00 00 01 01 00 00 00 00 00 05 12 00 00 00 01 01 00 00 00 00 00 05 12 00 00 00

Verified that the service was installed using psservice:

psservice query IPRIP

SERVICE_NAME: IPRIP
DISPLAY_NAME: Intranet Network Awareness (INA+)
Depends INA+, Collects and stores network configuration and location information, and notifies applications when this information changes.
        TYPE              : 20 WIN32_SHARE_PROCESS
        STATE             : 1  STOPPED
                               (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE   : 1077 (0x435)
        SERVICE_EXIT_CODE : 0  (0x0)
        CHECKPOINT        : 0x0
        WAIT_HINT         : 0 ms

2) How would it be run after installation?

Started the service with the following command:

net start IPRIP

    The Intranet Network Awareness (INA+) service is starting.
    The Intranet Network Awareness (INA+) service was started successfully.

3) How can the process be found?

Had Process Explorer running when the service started. Searched for the string Lab03 in Process Explorer, and came up with the process svchost.exe (PID:1056). This instance of svchost.exe is also hosting other services, as evidenced by hovering over the process in Process Explorer.

4) Filters for ProcMon?

Created a Process Monitor filter using the PID (1056) found in Process Explorer.

5) Host based indicators?

1. The DLL itself.
2. The IPRIP service (and associated registry keys).

6) Network based indicators?

1. DNS queries for practicalmalwareanalysis.com
2. HTTP GET requests to practicalmalwareanalysis.com/serve.html
3. HTTP request with user agent that includes the stringWindows XP 6.11
4. Packets to 80/tcp that match the periodic transmissions' unchanging payload bytes.

The service sends a DNS requests for practicalmalwareanalysis.com.

Service sends a single HTTP GET request for /serve.html. The user agent was the system's hostname followed byWindows XP 6.11," a hardcoded string in the binary. Inetsim responds with default HTML response.

Service then sends some small (54-62 byte) packets to 80/tcp, of what look like random data. Each packet is only slightly different, and always in the same location. Custom protocol?

The service does this at regular intervals. Identifying itself to a botnet as a zombie?