Practical Malware Analysis Chapter 1 Exercises
So I recently bought Practical Malware Analysis, which is the goto book for learning about malware analysis and I decided that I will post here my answers to the exercises for each chapter and will aim to make it a weekly thing, but I can’t make any promises there because it may take me longer than a week to do each chapter because I generally like to take the time to digest what I learn and spend sometime considering it. I will aim to post each Sunday the writeups to the exercises for the next chapter. The book’s answers are however out of date so I will be using another person’s blog for some guidance on how close I really am to the correct answers. Granted these are just my answers and I may or may not get all of the answers correct. The article I am using for guidance is here
I also was able to setup my lab environment using this video on YouTube linked here and then installed each tool in the book individually. In short all you really need is a fresh windows 7 in vmware or virtualbox and then install the tools that you need.
So without further or do here are my answers for the exercises in the first chapter on Basic Static Analysis.
Lab 1-1
1.
Lab01-01.dll was flagged by 39/66 vendors.
Lab01-01.exe was flagged by 47/69 vendors
2.
Lab01-01.dll 2010/12/19 Sun 16:16:38 UTC
Lab01-01.exe 2010/12/19 Sun 16:16:19 UTC
3.
There is no indication going by the output of peID that either of these two files are obfuscated.
4.
The dll has a CreateProcessA which spawns a new process
While the exe file imports createfile which creates a new file or opens an existing file.
It also calls findfirstfile and findnextfile which searches through a directory and enumerates the filesystem.
Also has mapview of file which maps a file into memory and make the contents of the file accessible via memory address.
5.
Running strings on the exe file showed that it contained the text “WARNING_THIS_WILL_DESTROY_YOUR_MACHINE” and so as a host based indicator you could search for new files with this in its string.
6.
There is an ip address in the dll file which has 127.26.152.13 and so you can do a search of the packets which entered the network to see if there is anything coming from this ip address.
7.
I think that the purpose of this file is to create a process and then look for certain files on the system and insert a reverse shell which then calls back to that ip address for the attacker to control.
Lab 1-2
1.
53/68 vendors flagged this file as malicious
2.
This file when run in peid is not packed at all, but using a different tool called exeinfo PE I was able to see that it was packed and unpacked it using upx.exe
3.
This file has createserviceA as a function and this means it likely sets itself as a service of some kind. The executable also has creteamutex so it means that it calls this function from the kernel and this creates a mutual exclusion object that can be used by malware to ensure that only a single instance of the malware is running on a system at any given time.
4.
Running Strings on the file shows that it has a web address of http://wwareanysisbook.com and so you can run a filter on packets to see if any packets goto this address and also
Lab 1-3
1.
This file was flagged by 55/66 vendors on antivirus total
2.
Yes, the Lab01-03.exe was packed with FSG 1.0 dulek/xt which was observed by using the tool PEiD.
3.
I first used the tool upx.exe to unpack this file and then analyzed it using dependency walker. There are no useful functions called which indicate what the LAB01-03.exe file actually does.
4.
Unpacked the file’s hash is 8dd54c9705807f72fe83b267c9ed7fad2b2a7d451d62791e6e8e0f4d346b1d76
5.
A network based indicator which you could use for this malware is by using strings on the unpacked malware “>OLEAUTLA” and you could use this in your blacklist for files which are malicious – so any data with this segment of string will then block this.
Lab 1-4
1.
56/69 Vendors flagged this file as malicious
2.
Running this file through Exeinfo PE shows that it is not packed at all.
3.
The file was compiled on 2019/08/30 Fri 22:26:59 UTC
4.
AdjustTokenPriviledges is used likely to gain additional privileges and is common in malware that injects into a process.
WriteFile is used which indicates that it writes something to a file
MoveFileA is used which indicates that it moves a file somewhere
CreateFileA is used to create a file
5.
One host based indicator is the file \system32\wupdmgr.exe on the system.
6.
The malware downloads a file from http://www.practicalmalwareanalysis.com/updater.exe