PMA Chapter 1 - Labs
Labs answers from the book "Practical Malware Analysis". Chapter 1.
Last updated
Was this helpful?
Labs answers from the book "Practical Malware Analysis". Chapter 1.
Last updated
Was this helpful?
This lab uses the files Lab01-01.exe and Lab01-01.dll
Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
Yes, both files were detected by several vendors.
When were these files compiled?
Both files were compiled on December 19, 2010.
Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
When reviewing both files with PEiD there was no indication that they were packaged or obfuscated.
Do any imports hint at what this malware does? If so, which imports are they?
Analyzing both files with PE Studio, the following was found:
The EXE file has functions related to file manipulation such as CreateFile, FindNextFile, FindFirstFile and CopyFile which are derived from kernel32.dll as shown in the first image. Kernel32.dll contains core functionality, such as access and manipulation of memory, files, and hardware, which makes sense from what you can see.
The DLL file has functions of Sleep, CreateProcess and instructions of inet addr, connect, send, close socket derived from ws2_32.dll, which is a networking DLL and now makes sense since the functions we see in the second image appear to create a socket, connect, sleep communication at intervals to not be detected, etc.
Are there any other files or host-based indicators that you could look for on infected systems?
Find and analyze the file "C:\Windows\System32\Kerne132.dlll".
What network-based indicators could be used to find this malware on infected machines?
IP Address 127.26.152.13
What would you guess is the purpose of these files?
The EXE file create the file kerne132.dll and and one of the two downloads Lab01-01.dll, which creates a process and connects to the following IP address 127.26.152.13.
