Professional Documents
Culture Documents
Practical No 10
i. What can you learn from the interesting strings in this program?
- The most interesting strings are ftp.practicalmalwareanalysis.com and Home ftp client, which
indicate that this program may be FTP client software.
iii. What is the purpose of the object created at 0x4011D9? Does it have any virtual functions?
- The object created at 0x004011D9 represents a .doc file. It has one virtual function at offset
0x00401440, which uploads the file to a remote FTP server.
iv. Which functions could possibly be called by the call [edx]instruction at 0x401349?
- The virtual function call at 0x00401349 will call one of the virtual functions at 0x00401380,
0x00401440, or 0x00401370.
v. How could you easily set up the server that this malware expects in order to fully analyze the
malware without connecting it to the Internet?
- This malware connects to a remote FTP server using high-level API functions. We could download
and set up a local FTP server, and redirect DNS requests to that server in order to fully exercise this
malware.
vii. What is the purpose of implementing a virtual function call in this program?
- The purpose of implementing a virtual function call is to allow the code to execute different upload
functions for different file types.
i. What can you learn from the interesting strings in this program?
- Several strings that look like error messages (Error sending Http post, Error sending Http get, Error
reading response, and so on) tell us that this program will be using HTTP GET and POST
commands. We also see HTML paths (/srv.html, /put.html, and so on), which hint at the files that
this malware will attempt to open.
iii. At 0x4036F0, there is a function call that takes the string Config error, followed a few
instructions later by a call to CxxThrowException. Does the function take any parameters
other than the string? Does the function return anything? What can you tell about this
function from the context in which it’s used?
- The function called at 0x4036F0 does not take any parameters other than the string, but ECX
contains the this pointer for the object. We know the object that contains the function is an exception
object because that object is later used as a parameter to the CxxThrowException functions. We can
tell from the context that the function at 0x4036F0 initializes an exception object, which stores a
string that describes what caused the exception.
iv. What do the six entries in the switch table at 0x4025C8 do?
- The six entries of the switch table implement six different backdoor commands: NOOP, sleep,
execute a program, download a file, upload a file, and survey the victim.
i. What happens when you run this program without any parameters?
- When you run the program without any parameters, it exits immediately.
ii. Depending on your version of IDA Pro, main may not be recognized automatically. How can
you identify the call to the main function?
- The main function is located at 0x00000001400010C0. You can spot the call to main by looking for
a function call that accepts an integer and two pointers as parameters.
iii. What is being stored on the stack in the instructions from 0x0000000140001150 to
0x0000000140001161?
- The string ocl.exe is stored on the stack.
iv. How can you get this program to run its payload without changing the filename of the
executable?
- To have this program run its payload without changing the filename of the executable, you can
patch the jump instruction at 0x0000000140001213 so that it is a NOP instead.
v. Which two strings are being compared by the call to strncmp at 0x0000000140001205?
- The name of the executable is being compared against the string jzm.exe by the call to strncmp at
0x0000000140001205.
vii. How many arguments are passed to the call to CreateProcess at 0x0000000140001093?
How do you know?
- The call to CreateProcess takes 10 parameters. We can’t tell from the IDA Pro listing because we
can’t distinguish between things being stored on the stack and things being used in a function call,
but the function is documented in MSDN as always taking 10 parameters.
h. Analyze the malware found in Lab21-02.exe on both x86 and x64 virtual
machines.
iii. How does the malware determine the type of environment in which it is running?
- The malware attempts to resolve and call IsWow64Process to determine if it is running on an x64
system.
iv. What does this malware do differently in an x64 environment versus an x86 environment?
- On an x86 machine, the malware drops the X86 resource to disk and injects it into explorer.exe. On
an x64 machine, the malware drops two files from the X64 and X64DLL resource sections to disk
and launches the executable as a 64-bit process.
v. Which files does the malware drop when running on an x86 machine? Where would you find
the file or files?
- On an x86 system, the malware drops Lab21-02.dll into the Windows system directory, which will
typically be C:\Windows\System32\.
vi. Which files does the malware drop when running on an x64 machine? Where would you
find the file or files?
- On an x64 system, the malware drops Lab21-02x.dll and Lab21-02x.exe into the Windows system
directory, but because this is a 32-bit process running in WOW64, the directory is
C:\Windows\SysWOW64\.
vii. What type of process does the malware launch when run on an x64 system?
- On an x64 system, the malware launches Lab21-02x.exe, which is a 64-bit process. You can see
this in the PE header, where the Characteristics field has the IMAGE_FILE_64BIT_MACHINE flag
set.