Scribd Logo
Upload

Welcome to Scribd!

  • Malware Analysis Practical Shellcode Lab

    Uploaded by

    sonik sarungale
    37 views9 pages

    Original Title

    Shelllock Inspection

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    37 views9 pages

    Malware Analysis Practical Shellcode Lab

    Uploaded by

    sonik sarungale

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Malware Analysis Practical

    Practical No 10

    a. Analyze the file Lab19-01.bin using shellcode_launcher.exe

    i. How is the shellcode encoded?


    - The shellcode is stored with an alphabetic encoding; each payload byte is stored in the low nibble
    of two encoded bytes.

    ii. Which functions does the shellcode manually import?


    - The shellcode resolves the following functions:
     LoadLibraryA, GetSystemDirectoryA , TerminateProcess , GetCurrentProcess , WinExec ,
    URLDownloadToFileA

    iii. What network host does the shellcode communicate with?


    - The shellcode downloads this URL:
    http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe

    iv. What filesystem residue does the shellcode leave?


    - The shellcode writes %SystemRoot%\System32\1.exe and executes it.

    v. What does the shellcode do?


    - The shellcode downloads a file from a URL stored within the encoded payload, writes it to disk,
    and executes it.
    b. The file Lab19-02.exe contains a piece of shellcode that will be injected into
    another process and run. Analyze thisfile.

    i. What process is injected with the shellcode?


    - The program process-injects the default web browser, Internet Explorer.

    ii. Where is the shellcode located?


    - The shellcode buffer is located at 0x407030.

    iii. How is the shellcode encoded?


    - The shellcode is XOR’ed with the byte 0xe7.

    iv. Which functions does the shellcode manually import?


    - The shellcode manually imports the following functions:
     LoadLibraryA, CreateProcessA , TerminateProcess , GetCurrentProcess , WSAStartup,
    WSASocketA, connect

    v. What network hosts does the shellcode communicatewith?


    - The shellcode connects to IP 192.168.200.2 on TCP port 13330.

    vi. What does the shellcode do?


    - The shellcode provides a remote shell (cmd.exe).
    c. Analyze the file Lab19-03.pdf. If you get stuck and can’t find the shellcode, just
    skip that part of the lab and analyze file Lab19-03_sc.bin using
    shellcode_launcher.exe.

    i. What exploit is used in this PDF?


    - The PDF contains an example of CVE-2008-2992: buffer overflow related to Adobe Reader’s
    util.printf JavaScript implementation.

    ii. How is the shellcode encoded?


    - The shellcode is encoded using JavaScript’s percent-encoding and is stored along with the
    JavaScript in the PDF.

    iii. Which functions does the shellcode manually import?


    - The shellcode manually imports the following functions:
    LoadLibraryA, CreateProcessA, TerminateProcess, GetCurrentProcess, GetTempPathA,
    SetCurrentDirectoryA, CreateFileA, GetFileSize, SetFilePointer, ReadFile, WriteFile, CloseHandle,
    GlobalAlloc, GlobalFree, ShellExecuteA.

    iv. What filesystem residue does the shellcode leave?


    - The shellcode creates the files %TEMP%\foo.exe and %TEMP%\bar.pdf.

    v. What does the shellcode do?


    - The shellcode extracts two files stored encoded within the malicious PDF and writes them to the
    user’s %TEMP% directory. It executes the foo.exe file and opens the bar.pdf document with the
    default handler.
    d. The purpose of this first lab is to demonstrate the usage of the thispointer.
    Analyze the malware in Lab20-01.exe.

    i. Does the function at 0x401040 take any parameters?


    - The function at 0x401040 does not take any parameters, but it is passed a reference to an object in
    ECX that represents the this pointer.

    ii. Which URL is used in the call to URLDownloadToFile?


    - The call to URLDownloadToFile uses http://www.practicalmalwareanalysis.com/cpp.html as the
    URL.

    iii. What does this program do?


    - This program downloads a file from a remote server and stores it as c:\tempdownload.exe on the
    local system.
    e. Analyze the malware In Lab20-02.exe.

    i. What can you learn from the interesting strings in this program?
    - The most interesting strings are ftp.practicalmalwareanalysis.com and Home ftp client, which
    indicate that this program may be FTP client software.

    ii. What do the imports tell you about this program?


    - The imports FindFirstFile and FindNextFile indicate that the program prob
    ably searches through the victim’s filesystem. The imports InternetOpen,
    InternetConnect, FtpSetCurrentDirectory, and FtpPutFile tell us that this mal
    ware may upload files from the victim machine to a remote FTP server.

    iii. What is the purpose of the object created at 0x4011D9? Does it have any virtual functions?
    - The object created at 0x004011D9 represents a .doc file. It has one virtual function at offset
    0x00401440, which uploads the file to a remote FTP server.

    iv. Which functions could possibly be called by the call [edx]instruction at 0x401349?
    - The virtual function call at 0x00401349 will call one of the virtual functions at 0x00401380,
    0x00401440, or 0x00401370.

    v. How could you easily set up the server that this malware expects in order to fully analyze the
    malware without connecting it to the Internet?
    - This malware connects to a remote FTP server using high-level API functions. We could download
    and set up a local FTP server, and redirect DNS requests to that server in order to fully exercise this
    malware.

    vi. What is the purpose of this program?


    - This program searches the victim’s hard drive and uploads all the files with a .doc or .pdf extension
    to a remote FTP server.

    vii. What is the purpose of implementing a virtual function call in this program?
    - The purpose of implementing a virtual function call is to allow the code to execute different upload
    functions for different file types.

    f. Analyze the malware in Lab20-03.exe.

    i. What can you learn from the interesting strings in this program?
    - Several strings that look like error messages (Error sending Http post, Error sending Http get, Error
    reading response, and so on) tell us that this program will be using HTTP GET and POST
    commands. We also see HTML paths (/srv.html, /put.html, and so on), which hint at the files that
    this malware will attempt to open.

    ii. What do the imports tell you about this program?


    - Several WS2_32 imports tell us that this program will be communicating over the network. An
    import to CreateProcess suggests that this program may launch another process.

    iii. At 0x4036F0, there is a function call that takes the string Config error, followed a few
    instructions later by a call to CxxThrowException. Does the function take any parameters
    other than the string? Does the function return anything? What can you tell about this
    function from the context in which it’s used?
    - The function called at 0x4036F0 does not take any parameters other than the string, but ECX
    contains the this pointer for the object. We know the object that contains the function is an exception
    object because that object is later used as a parameter to the CxxThrowException functions. We can
    tell from the context that the function at 0x4036F0 initializes an exception object, which stores a
    string that describes what caused the exception.

    iv. What do the six entries in the switch table at 0x4025C8 do?
    - The six entries of the switch table implement six different backdoor commands: NOOP, sleep,
    execute a program, download a file, upload a file, and survey the victim.

    v. What is the purpose of this program?


    - The program implements a backdoor that uses HTTP as the command channel and has the ability to
    launch programs, download or upload a file, and collect information about the victim machine.

    g. Analyze the code in Lab21-01.exe

    i. What happens when you run this program without any parameters?
    - When you run the program without any parameters, it exits immediately.

    ii. Depending on your version of IDA Pro, main may not be recognized automatically. How can
    you identify the call to the main function?
    - The main function is located at 0x00000001400010C0. You can spot the call to main by looking for
    a function call that accepts an integer and two pointers as parameters.

    iii. What is being stored on the stack in the instructions from 0x0000000140001150 to
    0x0000000140001161?
    - The string ocl.exe is stored on the stack.
    iv. How can you get this program to run its payload without changing the filename of the
    executable?
    - To have this program run its payload without changing the filename of the executable, you can
    patch the jump instruction at 0x0000000140001213 so that it is a NOP instead.

    v. Which two strings are being compared by the call to strncmp at 0x0000000140001205?
    - The name of the executable is being compared against the string jzm.exe by the call to strncmp at
    0x0000000140001205.

    vi. Does the function at 0x00000001400013C8 take any parameters?


    - The function at 0x00000001400013C8 takes one parameter, which contains the socket created to
    the remote host.

    vii. How many arguments are passed to the call to CreateProcess at 0x0000000140001093?
    How do you know?
    - The call to CreateProcess takes 10 parameters. We can’t tell from the IDA Pro listing because we
    can’t distinguish between things being stored on the stack and things being used in a function call,
    but the function is documented in MSDN as always taking 10 parameters.

    h. Analyze the malware found in Lab21-02.exe on both x86 and x64 virtual
    machines.

    i. What is interesting about the malware’s resource sections?


    - The malware contains the resource sections X64, X64DLL, and X86. Each of the resources
    contains an embedded PE file.

    ii. Is this malware compiled for x64 or x86?


    - Lab21-02.exe is compiled for a 32-bit system. This is shown in the PE header’s Characteristics
    field, where the IMAGE_FILE_32BIT_MACHINE flag is set.

    iii. How does the malware determine the type of environment in which it is running?
    - The malware attempts to resolve and call IsWow64Process to determine if it is running on an x64
    system.

    iv. What does this malware do differently in an x64 environment versus an x86 environment?
    - On an x86 machine, the malware drops the X86 resource to disk and injects it into explorer.exe. On
    an x64 machine, the malware drops two files from the X64 and X64DLL resource sections to disk
    and launches the executable as a 64-bit process.

    v. Which files does the malware drop when running on an x86 machine? Where would you find
    the file or files?
    - On an x86 system, the malware drops Lab21-02.dll into the Windows system directory, which will
    typically be C:\Windows\System32\.

    vi. Which files does the malware drop when running on an x64 machine? Where would you
    find the file or files?
    - On an x64 system, the malware drops Lab21-02x.dll and Lab21-02x.exe into the Windows system
    directory, but because this is a 32-bit process running in WOW64, the directory is
    C:\Windows\SysWOW64\.

    vii. What type of process does the malware launch when run on an x64 system?
    - On an x64 system, the malware launches Lab21-02x.exe, which is a 64-bit process. You can see
    this in the PE header, where the Characteristics field has the IMAGE_FILE_64BIT_MACHINE flag
    set.

    viii. What does the malware do?


    - On both x64 and x86 systems, the malware performs DLL injection into explorer.exe. On an x64
    system, it drops and runs a 64-bit binary to inject a 64-bit DLL into the 64-bit running explorer.exe.
    On an x86 system, it injects a 32-bit DLL into the 32-bit running explorer.exe.

    You might also like