lab-09-2.md

This post is part of the series of Practical Malware Analysis Exercises.

This one has a reverse backdoor that starts an invisible console, and attaches a connected socket to stdin, stdout and stderr. Attacker just has to run netcat on the remote host, wait for connections, and has a console waiting. To protect itself, the malware verifies its filename and XOR decodes the URL.

1) What strings are statically in the binary?

Nothing obvious. Just DLL and function names.

2) What happens when binary is run?

Creates a bidirectional backdoor out of cmd.exe and a socket.

• No registry changes.
• No references to argc or argv. No command line parameters.
  1. Verifies name=ocl.exe
  2. Decodes a URL with predefined XOR array.
  3. DNS query of domain practicalmalwareanalysis.com
  4. gethostbyname returns hostent structure. IP address can be found at hostent+0x1C (28 bytes in).
  5. Tries to connect to practicalmalwareanalysis.com:9999/tcp

3) How can malicious payload be deployed?

Rename file to ocl.exe.

4) What is happening at 401133?

Assigns a character array, one byte at a time: 1qaz2wsz3edc

5) What arguments are being passed to 401089?

1. arg1 = A scrambled source string, 1qaz2wsz3edc
2. arg2 = An array of 32 integers.

6) What domain name does this malware use?

www.practicalmalwareanalysis.com

7) What coding routine is being used to obfuscate the domain name?

XOR against predefined 32 byte array with wrapping (modulo).

for( c=0; c<32; c++)
  result[c] = xor_byte[c] XOR src_byte[c%str_len]

8) What significance is the CreateProcessA call at 40106E?

Starts an instance of cmd.exe with the connected socket as standard input/output/error.