Книга: Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software
Назад: Lab 1-3 Solutions
Дальше: Lab 3-1 Solutions

For the Lab01-04.exe file, the results from VirusTotal.com suggest a program related to a downloader. PEview gives no indication that the file is packed or obfuscated.

The imports from advapi32.dll tell us that program does something with permissions, and we can assume that it tries to access protected files using special permissions. The imports from kernel32.dll tell us that the program loads data from the resource section (LoadResource, FindResource, and SizeOfResource), writes a file to disk (CreateFile and WriteFile), and executes a file on the disk (WinExec). We can also guess that the program writes files to the system directory because of the calls to GetWindowsDirectory.

Examining the strings, we see www.malwareanalysisbok.com/updater.exe, which is probably the location that holds the malicious code for download. We also see the string \system32\wupdmgr.exe, which, in combination with the call to GetWindowsDirectory, suggests that a file in C:\Windows\System32\wupdmgr.exe is created or edited by this malware.

We now know with some confidence that this malicious file downloads new malware. We know where it downloads the malware from, and we can guess where it stores the downloaded malware. The only thing that’s odd is that the program doesn’t appear to access any network functions.

The most interesting part of this malware is the resource section. When we open this malware in Resource Hacker, we see one resource. Resource Hacker identifies the type of the resource as binary, meaning arbitrary binary data, and when we look at the data, most of it is meaningless. But notice the string !This program cannot be run in DOS mode. This string is the error message included in the DOS header at the beginning of all PE files. We can therefore conclude that this resource is an additional executable file stored in the resource section of Lab01-04.exe. This is a fairly common technique used in malware.

To continue analyzing this file with Resource Hacker, we click Action ▸ Save resource as binary file. After saving the resource, we open the file in PEview to analyze the file embedded within it. Looking at the imports, we see that the embedded file is the one that accesses the network functions. It calls URLDownloadToFile, a function commonly used by malicious downloaders. It also calls WinExec, which probably executes the downloaded file.

Назад: Lab 1-3 Solutions
Дальше: Lab 3-1 Solutions

sss
sss