Homework 8

Part 1: we will analyze Lab12-02.exe

1. Let us have our layout like this:

Then run the malware, you will see something flashes and quickly disappears in ProcessExplorer. It has to do with an some .exe process. What is that process name?

2. Our guess is that this malware is doing “Process replacement”. Open it with IDAPro, we see bunch of function calls:

Sub_40149D seems getting the system directory and we see some string concatenations -> skip it for now. Sub_40132C seems having something to do with Resources and then Allocate some Space -> interesting -> skip it, we might come back later.Sub_4010EA -> Click into it and we see bunch of function calls. Use Slides Pg. 9 in the course PPT (process replacement): https://www.lions.odu.edu/~c1wang/course/cs495/lecture/8_1_Covert_Launching.pdf

To explain what sub_4010EA is doing here (on the high level) – don’t copy from the slides.

3. Then let us take a closer look inside:

We see this CreationFlag is set to 4 for CreateProcessA. (https://docs.microsoft.com/en-us/windows/desktop/ProcThread/process-creation-flags)

Explain this regarding to the procedures in Question (2).

4. (This one requires some skills – those information and conventions are by design from Microsoft – only skilled malware writers know this – so it’s good for us to learn)

We see that it first gets the context of the thread and the pointer to the context is moved to EAX. Then we see a “mov ECX, [EAX+0A4h]”. This 0A4h seems weird. Click Structures:

Inside Structure click “Insert” key (Ins) on your keyboard,

Then you will add CONTEXT as a standard structure.

Show what “mov ECX, [EAX+0A4h]” becomes after you doing this. [Attach a screenshot from IDAPro]

We actually see some reference to the EBX of Context -> look for some expert explanations online since this is not well-documented.

Then using this:

What is in ECX after “add ECX, 8”? [Difficult question – Bonus +1]

Then we see “NtUnmapViewOfSection”. What does this function do to the svhhost.exe process? [This is a kernel funcation call used by Windows kernel-mode drivers to manage shared memory – so you see ntdll.dll obtained.It can be also used maliciously. ]

5. We know that some memory write operation is going on here within the loop:

Our suspicion is that it takes the Lab12-02.exe and copy/replace the sections in svchost.exe. So where is svchost.exe -> let’s find out. Scroll up and you will see:

The applicationName is taken as an input to the CreateProcessA, further scroll up and you can see:

ApplicationName is indeed taken as a parameter to the function, then we want to see where this function is being called: move your mouse over to sub_4010EA and press “CTRL+X” to see the cross-ref list:

This takes us back to the main function. Well, we are entering here from the main function and now we are back. You can see ApplicationName is taken as a parameter to sub_4010EA, further trace up, we see it is loaded as EAX and related to the lpBuffer and has something to do with:

With this sub_40149D function, which we skipped earlier. Let us click into it -< not too much information. Let us use OllyDbg:Set a breakpoint at: 0x004014AE

What is the Value in EDX? [Hints: the erased parts]

Also confirm its location by take a screenshot at the location you found: [I’ve purposely mask the location]

You might notice that -> at this point, a similar practicalmalwareanalysis.log file has been created and used to log your key entries. Let’s restore the VM to the clean snapshot.

4. Take a look at String in IDAPro, can you find “practicalmalwareanalysis.log”? If you can’t, it suggests some encryptions might be going on. Then we need to take a closer look into IDAPro. Our logic is like this: static analysis -> no string name of the log file; dynamic running the malware -> the string name suddenly appears -> it suggests something fishy going on with the resource extraction because we have seen some APIs with Resource. Let’s take a closer look. Jump to sub_40132C (which we skipped earlier), and you those API calls related to Resource. Scroll down to the bottom, we find a function call:

We find:

1) This thing looks like a loop 2) XOR AL, [ebp+arg_8] -> most cases XOR is used to clear the registers, but here XOR the register lower half with arg_8, it suggests arg_8 is the encryption key, which is hard-coded here. Can you find the encryption key? [Hints: you will need to trace to where this sub_401000 has been called, arg_8 refers to the first value being pushed on to the stack.]

2) Open the file from ResourceHacker Lab12-02.exe and save it as Lab12-02_dup.exe -> resource hacker will extract the resource sections in the malware but they still remain encrypted.

3) Open WinHex editor from C:\Documents and Settings\Test\My Documents\Downloads\winhexAnd load Lab12-02_dup.exe into it. Choose: Edit->Modify Data -> XOR, enter the encryption key you found in IDAPro (hexadecimal number). Then scroll up in Winhex, use Search -> Find Text -> enter practical. You should be able to find the log file generated.

This concludes all the analysis of this malware.

Part 2: We will analyze Lab12-03.exe.

1. Open the PE in IDAPro. We can easily see that this malware is using hook to intercept certain events. See highlighted code below.

From the input parameters to SetWindowsHookExA, can you tell what type of hook procedure is to be installed? (Hint: look for the value of idHook)

Does the type of hook suggest anything – what the malware might be?

2. Then we see an unconditional jump looping until it “GetMessageA” – get the message defined by the hook. -> No surprise. Let’s go back to offset fn before SetWindowsHookExA.

Click into this “fn”

This is a structure:

We see 104h and 100h has been compared with wParam, the logic here is a little weird (either the first block or the second block is true, we will push lParam on to the stack and call sub_4010C7)

With some research efforts, we find that: 104h and 100h means:

The following information is also useful.

We also know that lParam captures the keys just pressed and present them in a virtual-key codes format. [1] < https://docs.microsoft.com/en-us/windows/desktop/inputdev/virtual-key-codes>

Then we see lParam is input into sub_4010C7. Let’s click into this function:

Here are the questions:1) Are there any filename that looks suspicious?2) What is in the Buffer?

3. (Hard) Then we are seeing a big jump table:

What is the code construct here ? (if/while/for/switch) Why is jump table implemented instead of a naïve implementation? (Hints: we have discussed this in the previous classes)

Then let us take a closer look of how it jumps.

You see here: the value of Buffer is subtracted by 0x8.

Then click into this byte_40148D, which is basically the jump table. Let me do an example first. From [1], you know that ‘DEL’ is 0x2E. Then this value is subtracted by 0x8 -> 0x2E – 0x8 = 0x26, which is 38 in decimal. From the jump table we know that, it is 7.

This is where 7 should go: loc_4012E1 <- Del

Yes. It perfectly matches with the code.

Based on the previous example, demonstrate where “CTRL” and “TAB” are implemented in jump table. You will need to show where it jumps in the jumptable and relevant address. You can use highlight in the snipping tool to emphasize the answer.

4. Finally, let us run this malware using cmd. Windows->Run->cmd.

Go into the directory and run. What you will see is something like this:

Open Chrome, type in any website you want to see.

Then open Notepad. Key in “I love/hate malware analysis” (you can choose either love or hate – it won’t affect your grade – I promise)

Then go back to the directory, you will see a log file being generated. Open this log file and take a screenshot of those information captured. Explain the results and what the malware does when you key in different information in different program windows.