"Malicious Code Analysis Practice" Experiment - Labs-01
Record the experiments in "Malicious Code Analysis Practice" and provide relevant links:
- Download of e-books
- iChunqiu video tutorials on related experiments
title
Labs-01-1 Experiment
1. Upload to VT for analysis:
2. When was the file compiled?
Operation : Open with LordPE (other PE editors can also be completed), the time is December 19, 2010.
3. Is the program packed or obfuscated?
Action : Check with PEID: neither dll nor exe is packed
4. Are there any imported functions that explain what this program does? If so, what functions are there?
Operation : Use Dependency Walker or PEID to view the imported function, but you can only make a guess about the function.
- 1) The main function of the exe file: copy and find files (generally, it finds the system directory and then copies itself to confuse):
- 2) The main function of the dll is to perform networking operations, because WS2_32.dll is a network operation function library:
5. Are there other signs that can be actively searched for in infected hosts?
Operation : Preliminary detection uses Strings to search for strings.
- 1) It is found that there are some sensitive strings in the exe file. kener132.dll is highly similar to the system's kenerl32.dll. At the same time, under the system32 path, it is guessed that the program will rename lab01.dll to kerne132.dll and copy it to system32. path to achieve the purpose of confusion.
- 2) Search for strings in lab01.dll and find WS2_32.dll. As we analyzed earlier, this dll is a network operation library function. This dll will perform some network operations; later we find an IP address, so we believe it to a large extent. Network operations will connect to this IP address to perform other malicious operations.
6. What are the network signs to spot this malicious program?
Operation : As analyzed above, the specific behavior needs to be captured and reversed for detailed analysis.
7. Guess the purpose of the file
- 1) First, the program will copy itself to the system directory
- 2) Then rename the dll file and copy it to the system directory
- 3) The malicious program calls its own dll to perform network operations (such as downloading other malware, creating backdoors, uploading collected information, etc.)
Labs-01-2 Experiment
1. Pass to VT.
2. Is it packed or obfuscated? If packed, please unpack.
Operation :
1) Use PEID to detect and find that it is packed:
2) After a deep scan, it was found that it was UPX packed:
3) Use free upx to unpack (the unpacked program will overwrite the source program) and find that it is written by VC++ 6.0:
3. Are there any imported functions that can hint at the function of the program?
Operation : Use PEiD to view the imported functions, create mutexes, processes and services, and perform networking operations at the same time.
4. Those host-based network signs can detect
the operation of this malicious program : use string to conduct a sensitive string search and find the specific URL "http://xxx.com" which should be the website that the malware will connect to; in addition, the previous analysis If the program will create a malicious process, then the character "MalService" is most likely a process name:
Labs-01-3 Experiment
Processes such as 01-1 and 01-2
Labs-01-4 Experiment
Processes such as 01-1 and 01-2