PMA Chapter 1-04 - Labs

Labs answers from the book "Practical Malware Analysis". Chapter 1.

Lab 1-4

This lab uses the file Lab01-04.exe

Questions

Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?

yes, the file was detected by several vendors.

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.

When checked with PEiD, there was no indication that it was packed. Likewise, when reviewed with PE-bear, no evidence of packing was identified.

When was this program compiled?

2019/08/30 - 22:26:59 UTC

Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?

The imports of Kernel32.dll, WinExec and Write File make us think that it creates and executes some file. And it also has functions to work with the processes due to GetProcAddress, GetCurrentProcess and OpenProcess. Regarding advapi32.dll, we can conclude that it treats the access tokens of the processes, which are a token created by the system each time a user logs in and each process executed by that user has a copy of that token.

PE-bear output

PE-bear output 2

What host- or network-based indicators could be used to identify this malware on infected machines?

http://www.practicalmalwareanalysis.com/updater.exe

Strings of Lab01-04.exe

This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource?

By reviewing it we can identify that it is the one in charge of downloading the practicalmalwareanalysis.com artifact.

Detection of a EXE embedded in .rsrc section of Lab01-04.exe with PE Studio.

Detection 2 of a EXE embedded in .rsrc section of Lab01-04.exe with PE-Bear.

Imports of the Embedded file opened in PE view.

.data section of the Embedded file opened in PE view .