PMA - CH 7-1
Analysis of Lab07_01.exe
Last updated
Analysis of Lab07_01.exe
Last updated
Looking at the file in Pe-Studio we can see that they already have some indicators for us to be looking for during our analysis. Looking at the imports table there are two imports that catch my eye. CreateMutex, OpenMutex, OpenSCManager, and finally CreateThread.
Opening the file in IDA and checking out the strings we see:
Double-clicking on MalService we see:
Clicking X on aMalService we can see there is one xerf associated double-clicking on it takes us to "main"
We can see that "main" only makes one call out which is to sub401040. Before the function call, we see a call to StartServiceCtrlDispatcher. Which from MSDN "Connects the main thread of a service process to the service control manager, which causes the thread to be the service control dispatcher thread for the calling process." SERVICETABLEENTRYA is a pointer to a structure containing information used by ServiceCtrlDispatcherA. Looking at the structure we can see it holds the ServiceName and a pointer to ServiceMain. Looking at IDA we can see is pointing to sub401040
We don't yet know what MalService" is doing yet but can infer it is being used by this malware to create a new service. Before we move on let's rename this function to "main" (hitting n within IDA will let you change the function name)
Looking at this function we see the text HGL345 and below OpenMutex and below that, we see the same text (HGL345) and CreateMutex. Malware uses mutexes to ensure that only one instance of malware is running on any system. The code first checks for a mutex with HGL345 if a successful program exits it is not though. It will then proceed to create a mutex using the parameters.
In the next code section, we see a call to OpenSCManager which opens a handle to the service control manager so that the program can add or modify services. GetModuleFileName will return the full pathname to the currently running executable or a loaded DLL. This will be used later for CreateService for the full pathname. Looking at CreateService the most important parameters are swServiceType and BinaryPathName. ServiceType is set to 10h - reference MSDN we see that will allow the service to run its own process. BinaryPathName is the same as the function call to GetModuleFileName we can verify this during dynamic analysis. dwStartType has a few different values that MSDN has documented
Service_Boot (0x00)
ServiceSystemstart (0x01)
ServiceAuto_Start (0x02)
Service_Deman_Start (0x03)
Service_Disabled (0x04)
The malware uses 0x02 so the service is started automatically on start-up
Scrolling down the code we should see:
According to MSDN SYSTEMTIME "Specifies a date and time, using individual members for the month, day, year, weekday, hour, minute, second, and millisecond. The time is either in coordinated universal time (UTC) or local time, depending on the function that is being called."
We can see that the malware then calls CreateWaitableTimerA which creates an object waitable timer. It then proceeds to set the waitable timer object calling SetWaitableTimer
We see the value 834h which is 2100 in decimal. Which represents midnight on January 1, 2100. The program calls CreateWaitableTimer, and WaitForSingleObject. The most important argument is lpDueTime augment to SetWaitableTimer. The argument is the FileTime returned by SystemTimeToFileTime, as shown above. The code then uses WaitFor SingleObject to wait until January 1, 2100.
The code then moves the call CreateThread into the EDI register loops 20 times as shown above. ESI is set as the counter to 0x14 (20), ESI has decremented and hits zero the loop exits. The call to CreateThread has a few parameters only one is important to us. lpStartAddress which tells us which function will be used as the start address for the thread - labeled StartAddress in this case. We see that StartAddress is a function call to InternetOpen to initialize a connection to the internet and calls InternetOpenUrl from within a loop.
The jmp instruction at the end of the loop is an unconditional jump, which means that the code will never end; it will call InternetOpenUrlA and download the home page of www.malwareanalysisbook.com forever. And because CreateThread is called 20 times, 20 threads will call InternetOpenUrlA forever.
Skipping to the interesting part of the analysis. We are looking at sub_401040. We can see that when it creates the service using the executable.
Next, we have the call to CreateService which we can see creates a service and names it Malservice
Q: 1. How does this program ensure that it continues running (achieves persistence) when the computer is restarted? The malware creates persistence using services. It creates a service called MalService that autostarts and as its own process.
Q: 2. Why does this program use a mutex? It uses the mutex to ensure only one version of the malware is running on the machine if it detects the mutex it will end the program.
Q: 3. What is a good host-based signature to use for detecting this program? A good host-based signature is mutex creation.
Q: 4. What is a good network-based signature for detecting this malware? A good network-based signature is an address that the malware reaches out to and it also hard codes headers that can be used for detection.
Q: 5. What is the purpose of this program? It appears to wait until January 2100 and when that date comes it will make a connection to the website. It creates 20 different threads to call out to the website so it is possibly a Dos attack.
Q: 6. When will this program finish executing? Never there is an unconditional jump that never ends the program execution.
Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Kindle Locations 4927-4938). No Starch Press.