Skip to content

Latest commit

 

History

History
43 lines (26 loc) · 1.04 KB

lab-07-3.md

File metadata and controls

43 lines (26 loc) · 1.04 KB

This post is part of the series of Practical Malware Analysis Exercises.

1) How does this program ensure persistence?

Hijacking the import table of all executables on the system, forcing them to load a malicious DLL whenever run.

2) Host indicators?

  • File: kerne132.dll
  • Mutex: SADFHUHF

3) Purpose of the program?

Backdoor for running programs on the command line.

The EXE:

  1. Copies DLL to bogus kerne132.dll.
  2. Goes through file system looking for .exe files.
  3. Loads exe file into RAM.
  4. Looks at PE headers, and import tables for kernel32.dll
  5. Overwrites kernel32.dll with kerne132.dll in import table.

The DLL:

  1. DLL checks mutex: SADFHUHF
  2. DLL creates socket: 127.26.152.13:80/tcp
  3. DLL tries to connect to server and send hello command.
  4. DLL gets sleep, exec, or q command.
  • sleep sleep 6 min
  • exec create process
  • q quit

4) How could this program be removed?

Good luck. Wipe/reinstall, or write an "undo" program.