Practical Malware Analysis - Lab 5 ================================== | Utilizing IDA Pro | Analyze the malware found in the file Lab05-01.dll using only IDA Pro. The goal of this lab is to give you hands-on experience with IDA Pro. If you’ve already worked with IDA Pro, you may choose to ignore these questions and focus on reverse-engineering the malware. Lab 5-1 ------- **Q1: What is the address of DllMain?** When i loaded the dll into IDA Pro i was directed to the DllMain at address ``1000D02E`` .. image:: q1.png We can also search for the DllMain in Functions window .. image:: q11.png **Q2: Use the Imports window to browse to gethostbyname. Where is the import located?** Viewing the Imports window then searching for gethostbyname we find it referenced at address ``100163CC`` .. image:: q2.png **Q3: How many functions call gethostbyname?** Using Xref (by pressing ``x`` on its idata address ). It was called 9 times with 5 times from unique methods .. image:: q3.png **Q4: Focusing on the call to gethostbyname located at 0x10001757, can you figure out which DNS request will be made?** Pressing g to jump to ``0x10001757`` scrolling up we find the argument to the call pushed is the EAX Which Contains Data String reference address added with 0x0D which is 13 in decimal .. image:: q4.png Going to the reference address by clicking twice on it and pressing U to undefine data then going up 13 places and pressing A to redefine at that offset +13 We get ``pics.praticalmalwareanalysis.com`` .. image:: q44.png **Q5: How many local variables has IDA Pro recognized for the subroutine at 0x10001656?** Jumping to same address we find 24 variable .. image:: q5.png **Q6: How many parameters has IDA Pro recognized for the subroutine at 0x10001656?** Arguments passed to subroutine are referenced by positive value (with respect to ebp) and local variable negative values we notice only lpThreadParameter is the only parameter **Q7: Use the Strings window to locate the string \cmd.exe /c in the disassembly. Where is it located?** At ``100101D0`` .. image:: q6.png **Q8: What is happening in the area of code that references \cmd.exe /c?** scrolling up we find string reference at ``1001009D`` "hi master" going to that offset we find "remote shell" which sounds like a C&C session what this area of code opens .. image:: q9.png .. image:: q8.png **Q9: In the same area, at 0x100101C8, it looks like dword_1008E5C4 is a global variable that helps decide which path to take. How does the malware set dword_1008E5C4? (Hint: Use dword_1008E5C4’s cross-references.)** Going to dword_1008E5C4 offset by double clicking .. image:: q99.png Pressing x to see the places where it was referenced to see how it was set. Going to the most likely place it was set in ``mov dword_1008E5C4,eax`` .. image:: q999.png Noticed that a function is called then the return (EAX) is passed to the global variable dword_1008E5C4 .. image:: q9999.png Going into the function. It begins with initializing the stack then allocating space on the stack (for variables and other data) Then initializing the structure VersionInformation to be passed (its pointer) into GetVersionEXA, setting eax to zero , then comparing dwPlatformId if equal to 2 and setting 1 (True) or 0 (False) to al register the result register then returning The Function in overall checks the OS is ``Win32NT`` and acts on it .. image:: q99999.png **Q10: A few hundred lines into the subroutine at 0x1000FF58, a series of comparisons use memcmp to compare strings. What happens if the string comparison to robotwork is successful (when memcmp returns 0)?** Going to the address using jump (g) then search for text memcmp .. image:: q10.png When memcmp is successful and EAX is 0 , ``Test eax,eax`` sets Zero flag to 1, and JNZ jumps if zero flag is 0, so no jump .. image:: q102.png We go into next instruction the flow should take is ``call sub_100052A2`` going into that routine .. image:: q105.png First in the start of function it takes parameter of type socket and sets variables ida named it buffer and data looks like it will send data over the network need to watch the network traffic .. image:: q107.png It's trying to open registery ``SOFTWARE\\Microsoft\\Windows\\CurrentVersion`` if it opens it ,RegOpenKeyEXA sets eax to 0 if successful and the flow jumps to (JZ) ``loc_10005309`` .. image:: q106.png at ``10005322`` it is querying registery worktime which may be sent over the network **Q11: What does the export PSLIST do?** Going to exports windows, double clicking PSLIST to see its code .. image:: q111.png First it sets global vaiable ``dword_1008E5BC`` to 1 then calls the function ``sub_100036C3`` going into that function .. image:: q112.png | It check the OS is WIN32NT | and ``cmp majorversion , 5`` ``jb short loc_100036FA`` | It will jump to specified location if version of OS is less than 5 (if CF is set) | if it passes all checks it returns 1 | Then in pslist the flow checks if the returned value is 0 or 1 .. image:: q113.png If it's 1 the flow goes on to the next piece which checks Str variable isnot null or empty .. image:: q114.png | if null or empty strlen returns (sets EAX) 0 which set ZF to 1 the JNZ jump is not taken (taken if ZF not set ) | if the Str variable is non-zero it will call ``1000664C`` | if Str is zero or null it will call ``10006518`` .. image:: q115.png In ``1000664C`` We can see it call CreateToolHelp32Snapshot which ``Takes a snapshot of the specified processes, as well as the heaps, modules, and threads used by these processes.`` Creates a structure ``PROCESSENTRY32`` puts the snapshot into it .. image:: q116.png In the loop, it checks if the name of the process (pe.szExeFile) matches a specified string (Str) If checks to gathers information about that process from the snapshot .. image:: q117.png It sends those information to the network .. image:: q118.png Going over that other branch if Str is zero or null ``10006518`` .. image:: q119.png Seems like its the same but without sending any data over the network **Q12: Use the graph mode to graph the cross-references from sub_10004E79. Which API functions could be called by entering this function? Based on the API functions alone, what could you rename this function?** View -> Graph -> XRef From .. image:: q12.png Sounds like it get the langauge identifier from ``GetSystemLanguageID`` then sets it to some buffer with ``sprintf`` to send it over the network with ``sub_100038EE`` , we could name this function send_languageId **Q13: How many Windows API functions does DllMain call directly? How many at a depth of 2?** For direct calls setting depth at 1 .. image:: q13.png We see 4 WIN API calls .. image:: q131.png At depth 2 A lot **Q14: At 0x10001358, there is a call to Sleep (an API function that takes one parameter containing the number of milliseconds to sleep). Looking backward through the code, how long will the program sleep if this code executes?** First offset 10019020 ([This is CTI]30) is moved to eax ,then add with 0x0D which is 13 in decimal which sets eax to offset starting with string data 30 Then converted to int then multiplied with 1000 decimal and passed to sleep It sleep for 30 seconds .. image:: q14.png **Q15: At 0x10001701 is a call to socket. What are the three parameters?** The three parameters pushed to the stack before the call; protocol,type,af (6,1,2) .. image:: q15.png **Q16: Using the MSDN page for socket and the named symbolic constants functionality in IDA Pro, can you make the parameters more meaningful? What are the parameters after you apply changes?** Using .. _target MSDN page:https://learn.microsoft.com/en-us/windows/win32/api/winsock2/nf-winsock2-socket .. image:: q16.png .. image:: q161.png .. image:: q162.png We rename the parameters with right click -> Symbolic constant -> Use Symbolic constant .. image:: q163.png **Q17: Search for usage of the in instruction (opcode 0xED). This instruction is used with a magic string VMXh to perform VMware detection. Is that in use in this malware? Using the cross-references to the function that executes the in instruction, is there further evidence of VMware detection?** ALT +b for search byte then set all occurences .. image:: q17.png going into sub_10006196, we see there is a compare with hex when converted to ASCII it get string VMXh .. image:: q18.png There are 3 functions that references this functions, which they cancel install if VM detected .. image:: q172.png **Q18: Jump your cursor to 0x1001D988. What do you find?** Data of characters .. image:: q181.png **Q19: If you have the IDA Python plug-in installed (included with the commercial version of IDA Pro), run Lab05-01.py, an IDA Pro Python script provided with the malware for this book. (Make sure the cursor is at 0x1001D988.) What happens after you run the script?** Can't run the files the python file is outdated but it XORs the data with 0x55 **Q20: With the cursor in the same location, how do you turn this data into a single ASCII string?** By pressing a (to change default formatting alt + a) **Q21: Open the script with a text editor. How does it work?** Xors data from current selected in screen to 0x50 loop with 0x55 .. image:: q21.png