Scribd
Upload
64 views10 pages

Practical 1

This document provides instructions for analyzing two malware samples, Lab01-01.exe and Lab01-01.dll, using various free tools. The tools described are VirusTotal, PEview, PEiD, BinText, and Dependency Walker. Using these tools reveals that the samples appear to search file systems, perform string comparisons, launch processes, include networking functions, and were compiled in Microsoft Visual C++. Dependency Walker shows the libraries used, including functions to manipulate files, connect to networks, and launch processes. Overall, the summary provides an overview of using basic static analysis techniques to extract high-level information about malware behavior and components.

Uploaded by

tafadzwavictor.chipere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
64 views10 pages

Practical 1

This document provides instructions for analyzing two malware samples, Lab01-01.exe and Lab01-01.dll, using various free tools. The tools described are VirusTotal, PEview, PEiD, BinText, and Dependency Walker. Using these tools reveals that the samples appear to search file systems, perform string comparisons, launch processes, include networking functions, and were compiled in Microsoft Visual C++. Dependency Walker shows the libraries used, including functions to manipulate files, connect to networks, and launch processes. Overall, the summary provides an overview of using basic static analysis techniques to extract high-level information about malware behavior and components.

Uploaded by

tafadzwavictor.chipere
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Practical - Basic Static Techniques


What you need:

• A Windows machine without antivirus running, such as the FLARE-VM

Malware Samples
Download the malware from:

https://github.com/mikesiko/PracticalMalwareAnalysis-Labs

Run exe and extract the Lab Folder on Desktop

This practical uses two files in this folder:

Practical Malware Analysis Labs\BinaryCollection\Chapter_1L

The two files are Lab01-01.exe and Lab01-01.dll.

VirusTotal
In a Web browser, go to

https://www.virustotal.com

Upload Lab01-01.dll. As shown below, some of the engines detect it as malware.

VirusTotal compares a file to a database of antivirus engines. You can upload files, but that may alert
attackers that you have detected an intrusion. Using it to search for a hash value of a sample is safer.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 1


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Using PEview
PEview shows the sections that make up a PE (Portable Executable) file.

Goto http://wjradburn.com/software/.

Download PEview version 0.9.9 and unzip it. Double click PEview.exe

Click Run at the security warning.

Navigate to C:\Users\yourname\Desktop\Malware\Practical Malware Analysis Labs\Binary


Collection\Chapter_1L and open Lab01-01.exe.

On the left side, expand the IMAGE_NT_HEADERS container and click IMAGE_FILE_HEADER.

The "Time Date Stamp" shows when the files were compiled. This is often used as an indication of the
time zone the attackers live in. Files that were compiled at the same time are also often regarded as part
of the same package.

Find the Data that is covered by a green box in the image below.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 2


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Using PEiD
PEiD shows what language the sample was written in, or what packer was used if it's packed.

Download this file.

Extract all the files and run the PEiD application.

In PEid, in the "File" line, at the right side, click the ... button.

Goto the Chapter_1L folder and open the Lab01-01.exe file.

On the bottom left, you can see that this file was written in "Microsoft Visual C++", as shown below.

Find the First Bytes


On the right side, note the "First Bytes", covered by a green box in the image below.

Using BinText
BinText is a handy tool to view strings, a very easy and powerful way to analyze a file.

Download BinText from

http://b2b-download.mcafee.com/products/tools/foundstone/bintext303.zip

Extract and open BinText and click Run at the Security prompt.

Click the Browse button.

Goto the Chapter_1L folder, select the Lab01-01.exe file and click Go.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 3


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Notice FindNextFileA and FindFirstFileA, as shown below. These are Windows API functions used to
search through a directory.

Scroll down and find these items, as shown below.

stricmp -- Compares a string to a desired value


kerne132.dll -- A deceptive filename to make the malware look like a Windows system file
C:\windows\system32\kerne132.dll -- The full path to a malicious file, very likely a useful Indicator of
Compromise

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 4


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Analyzing Lab01-01.dll
In BinText, open the Lab01-01.dll file and click Go.

Notice these items, as shown below:

• Sleep -- Windows API function used to sleep


• CreateProcessA -- Windows API function used to launch a program
• sleep and hello -- Commands that can be sent over the network to tell the malware to sleep, and
some function called "hello"

The command to launch a program is missing. To see it, click the Filter tab and adjust the "Min. text
length" to 4 as shown below.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 5


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Click the Search tab. At the top right, click Go.

Now you can see that the command to launch a program is exec, appearing just above "sleep" in the
image below.

Near the bottom, find the IP address beginning with 127, covered by a green box in the image
below.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 6


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Dependency Walker
Go to http://www.dependencywalker.com/ and click Download Version 2.2.6000 for x64 [468k]

Extract the files and open the depends application.

In Dependency Walker, click the opening folder icon and open the Lab01-01.exe file.

An error message will popup, but you can ignore it and click ok. Learn more about it
at https://stackoverflow.com/questions/33604738/dependency-walker-with-windows-10

The top left pane is called the "Module Dependency Tree View".
It shows the EXE file and the two Windows libraries it uses: MSVCRT.DLL and KERNEL32.DLL, as shown
below (click the - next to KERNEL32.DLL).

In the top left pane, click MSVCRT.DLL. The top right pane shows "Parent Imports". These are the
functions the EXE file uses from the library.

As shown below, this executable uses only a small number of library functions, and none of them indicate
much about its purpose. One of them is named _stricmp, which indicates that this program performs a
string comparison, but that's a very common operation.

In the top left pane, click KERNEL32.DLL.

The top right pane shows that this file uses several functions that manipulate files,
including FindNextFileA and FindFirstFileA, as shown below.

This suggests that the malware searches through the file system.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 7


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Analyzing Lab01-01.dll

In Dependency Walker, open Lab01-01.dll.

In the top left pane, partially collapse the tree to match the image below and click WS2_32.DLL.

The top right pane doesn't show function names this time, it only shows "Ordinal" numbers. This is
called Linking by Ordinal, and it's an annoyance to us because we can't easily see what functions are in
use.

The center-right pane shows the Exports of WS2_32.DLL, which include accept, bind, and connect.
These are the standard Berkeley Sockets functions used for networking. This suggest that the malware
performs some networking functions, such as connecting to a server and opening a listening port.

In the top left pane, click KERNEL32.DLL. The top right pane shows the five "Parent Imports", which
include CreateProcessA and Sleep, as shown below.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 8


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Find Function Name

Find the function name that is covered by a green box in the image below.

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 9


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]
CTMSDFIS SII P3 - MALWARE ANALYSIS AND FORENSICS Practical : Basic Static Techniques

Analyze the sample Lab01-04.exe


a) Find out how many security vendors and sandbox flagged this file as malicious.
b) Find the MD5, SHA-1 and CRC32 hash of the sample.
c) Find the Imports DLL of the sample.
d) Find the name of Imported Function from NTDDLL.DLL with a name ending “Server”.
e) It imports a function from WINTRUST.DLL with a name ending in "Trust". Find that function's
name.
f) Find out that sample is written in which language.
g) Find the Time and Date Stamp when sample was compiled, like this format: 2022/04/13 Wed
14:40:49 UTC

School of Cyber Security and Digital Forensics, NFSU - Gandhinagar Page 10


Prepared by: Dr. Parag Shukla – Assistant Professor [email protected]

You might also like