. At 0x401271 is printf. The 0x401130 function is new to this lab.
The new function takes two parameters. The first is the command character parsed from the HTML comment, and the second is the program name argv[0], the standard main parameter.
The new function contains a switch statement with a jump table.
The new function can print error messages, delete a file, create a directory, set a registry value, copy a file, or sleep for 100 seconds.
The registry key Software\Microsoft\Windows\CurrentVersion\Run\Malware and the file location C:\Temp\cc.exe can both be host-based indicators.
The program first checks for an active Internet connection. If no Internet connection is found, the program terminates. Otherwise, the program will attempt to download a web page containing an embedded HTML comment beginning with <!--. The first character of the comment is parsed and used in a switch statement to determine which action to take on the local system, including whether to delete a file, create a directory, set a registry run key, copy a file, or sleep for 100 seconds.
.Error 3.2: Not a valid command provided Error 3.1: Could not set Registry value Malware Software\Microsoft\Windows\CurrentVersion\Run C:\Temp\cc.exe C:\Temp
Error 3.2: Not a valid command provided Error 3.1: Could not set Registry value Malware Software\Microsoft\Windows\CurrentVersion\Run C:\Temp\cc.exe C:\Temp
These error messages suggest that the program may be able to modify the registry. Software\Microsoft\Windows\CurrentVersion\Run is a common autorun location in the registry. C:\Temp\cc.exe is a directory and filename that may be useful as a host-based indicator.
Looking at the imports, we see several new Windows API functions not found in , as shown in .
DeleteFileA CopyFileA CreateDirectoryA RegOpenKeyExA RegSetValueExA
The first three imports are self-explanatory. The RegOpenKeyExA function is typically used with RegSetValueExA to insert information into the registry, usually when the malware sets itself or another program to start on system boot for the sake of persistence. (We discuss the Windows registry in depth in .)
Next, we perform dynamic analysis, but find that it isn’t very fruitful (not surprising based on what we discovered in ). We could connect the malware directly to the Internet or use INetSim to serve web pages to the malware, but we wouldn’t know what to put in the HTML comment. Therefore, we need to perform more in-depth analysis by looking at the disassembly.
Finally, we load the executable into IDA Pro. The main method looks nearly identical to the one from , except there is an extra call to 0x401130. The calls to 0x401000 (check Internet connection) and 0x401040 (download web page and parse HTML comment) are identical to those in .
Next, we examine the parameters passed to 0x401130. It looks like argv and var_8 are pushed onto the stack before the call. In this case, argv is Argv[0], a reference to a string containing the current program’s name, Lab06-03.exe. Examining the disassembly, we see that var_8 is set to AL at 0x40122D. Remember that EAX is the return value from the previous function call, and that AL is contained within EAX. In this case, the previous function call is from the start of the function.
. We see six possible paths through the code, including five cases and the default. The “jump above 4” instruction takes us down the default path; otherwise, the jump table causes an execution path of the a through e branches. When you see a graph like the one in the figure (a single box going to many different boxes), you should suspect a switch statement. You can confirm that suspicion by looking at the code logic and jump table. to gain a strong understanding of how the overall program operates.We now know that the program checks for an active Internet connection using the if construct. If there is no valid Internet connection, the program terminates. Otherwise, the program attempts to download a web page that contains an embedded HTML comment starting with <!--. The next character is parsed from this comment and used in a switch statement to determine which action to take on the local system: delete a file, create a directory, set a registry run key, copy a file, or sleep for 100 seconds.
We now know that the program checks for an active Internet connection using the if construct. If there is no valid Internet connection, the program terminates. Otherwise, the program attempts to download a web page that contains an embedded HTML comment starting with <!--. The next character is parsed from this comment and used in a switch statement to determine which action to take on the local system: delete a file, create a directory, set a registry run key, copy a file, or sleep for 100 seconds.
Войти в систему
Войти с помощью соц. сетей:
