In this write-up i will be diving into solving lab 12 from practical malware analysis book, sharing my methodolgy along the way analyzing the baniries also sharing any tips and tricks learned.
I hope you find this write-up both informative and helpful. Feel free to share it with others who might benefit from it!
Lab 12β1
Analyze the malware found in the file Lab12β01.exe and Lab12β01.dll. Make sure that these files are in the same directory when performing the analysis.
Questions
1. What happens when you run the malware executable?
befor we run the binary let's check the strings and blacklist ones to give us some more context.
as you can see that ther's some blacklisted call function, it's deduce that we are dealing some of process injections.
if run the binary it's pop up a Message box
2. What process is being injected?
To find the process bieng injected, i opened the import windows and cheked for common api calll used in process injection noticed OpenProcess and follow the cross refrence ofthe call until got to it,i fond that explorer.exe being injected.
3. How can you make the malware stop the pop-ups?
since the malware inject process explorer we can kill process explorer runing process.
4. How does this malware operate?
The malware repeatedly activates after each sleep interval, indicating it uses the Sleep API call. I analyzed this by checking the Imports tab, locating the Sleep function, and examining its cross-references to identify where it's invoked.
the analysis reveals a looping function where var_18 increments by 1 with each iteration, paired with a 60,000-millisecond timeout. Every 60 seconds, a new thread is created within the explorer.exe process to display a message box with the text:
"Practical Malware Analysis %d,"
where %d is replaced by the value of var_18. This effectively tracks the number of minutes since the malware was injected into explorer.exe.
Lab 12β2
Analyze the malware found in the file Lab12β02.exe.
Questions
1. What is the purpose of this program?
When we open the binary on Pe bear we notice an embedded binary binary called LOCALIZATION conatins randoms unicode binary with random characters.
That mean that binary is encrypted and will be loaded during the runing time to decode it, the hint comes to my mind is to search for sleep call from the import window on IDA, and follow the cross ref where it's been called
it's called from 2 ref during run time, here where is the magic happened
inside the subroutine the intillialization of svchost.exe process that will be use to load the baniry after subroutine call sub_40132C
So the pupose is to lunchn the other encrypted binary, it's keylogger.
2. How does the launcher program hide execution?
The binary program appears to execute a process replacement operation targeting C:\WINDOWS\system32\svchost.exe. This behavior is driven by the sub_40149D function, which constructs the full path by concatenating the system directory with \svchost.exe before initiating the replacement.
Just a tip f you are reading, you can jump to each details of function by copie the memory address and jump to the instruction.
3. Where is the malicious payload stored?
The malicious payload is stored in the program's resource section. The resource has type UNICODE and the name LOCALIZATION.
As we see befor on resources hacker.
4. How is the malicious payload protected?
As you can see in the mage under that malware check for MZ pe header, after that push A to the next subroutine that reponsable for encryption,if we examine sub_401000 we can see inisde it's XOR routine encryption that mean that malware protect it's self by using XOR encryption.
The sub_401000 contains loop that encrypt the code.
5. How are strings protected?
As previously mentioned, the binary employs an XOR-based encryption routine to protect its strings.
Lab 12β3
Analyze the malware extracted during the analysis of Lab 12β2, or use the file Lab12β03.exe.
Questions
1. What is the purpose of this malicious payload?
The purpose is a keylogger capture all action taken inside machine and store it inside practicalmalwareanalysis.log
2. How does the malicious payload inject itself?
if we open the binary we can see call of sub_401000 at the address 0x401803
that call ConsoleWindowClass method uses to achieve process injection is by manipulating the User Data of a window object.
if we deep dive investigation i notice push fn to api call SetWindowHookExA at address 0x401054 , if we examine the previous push, i noticed a call of function sub_4010C7 at address 0x4010A7 if deep dive inside this function call , it's the function reponsable for store caputred keys of the keylogger.
3. What filesystem residue does this program create?
The practicalmalwareanalysis.log file where the keystrokes are logged to.
Lab 12β4
Analyze the malware found in the file Lab12β04.exe.
Questions
1. What does the code at 0x401000 accomplish?
A number of unknown values indicated by dword, byte, and word values.
if we check those word and bytes it's refer to winlogon.exe
we can confirm that if we click on the word and check hex window
we summurize that the call is to open the logon process.
2. Which process has code injected
As showen befor the process injected is winlogon.exe
3. What DLL is loaded using LoadLibraryA?
If go to imports window and search for LoadLibraryA api call and check cros ref of that api, we notice that it's load sfc_os.dll
4. What is the fourth argument passed to the CreateRemoteThread call?
From the analysis above, it can be concluded that the fourth argument passed to the CreateRemoteThread function is the exported module with ordinal number '2' from sfc_os.dll, identified as SfcTerminateWatcherThread. This function, exposed by the System File Checker (SFC) DLL, is utilized to manage Windows File Protection, indicating its potential use in disabling this security mechanism.
This export can be used to disable Windows File Protection (WFP), and must be invoked in the winlogon.exe process. See this excellent resource for more information: Disable WFP completely until the computer is next rebooted via undocumented SFC API.
5. What malware is dropped by the main executable?
The malware extracts a binary from its resource section and replaces the original Windows Update binary (wupdmgr.exe) with the extracted file. Before performing the overwrite, the malware creates a backup by copying the legitimate wupdmgr.exe to the %TEMP% directory for potential later use.
6. What is the purpose of this and the dropped malware?
The malware employs DLL injection to create a remote thread within the winlogon.exe process, invoking the SfcTerminateWatcherThread function exported by sfc_os.dll (ordinal 2). This action effectively disables Windows File Protection until the next system reboot. The use of CreateRemoteThread is critical, as the function must execute within the context of the winlogon.exe process.
Additionally, the malware compromises wupdmgr.exe, repurposing it to update its malicious components. It achieves this by overwriting the legitimate Windows Update Manager binary with the trojanized version while preserving the original binary by relocating it to the %TEMP% directory for later execution. This ensures that the original functionality of wupdmgr.exe can be leveraged alongside the malware's operations.