PMA - CH 9-2

Analysis of Lab09-02.exe

Throwing our executable into PEStudio we don't see anything interesting. Besides the fact that it's using WinSocket. Checking the strings we again don't see anything useful.

So moving to IDA, and looking at "main" we can see a lot of bytes being stored into variables. We also see an unknown chunk of data that has been renamed "xor_key" which is being stored in ESI. We see these bytes appear to create a random string and a file name ('1qaz2wsx3edc' and 'ocl.exe')

Moving along the executable makes a call to GetModuleFileNameA ("Retrieves the fully qualified path for the file" - MSDN). After the call, we push the value "5Ch" which in ASCII is a backslash " \ " and then a string stored in ECX, which then calls strrchr (returns the last occurrence of character). Moving down we again see another call this time to strcmp (compares two strings) and again passing two strings onto the stack.

After the call to GetModuleFileNameA, we can see te file path of the executable

After the call to strrchr, we can see it retrieves just the file name (including the backslash)

Next, we have the call to strcmp and we can see the two strings passed are the file name in this case "Lab09-02.exe" retrieved from the GetMoudleFileName and strrchr calls. The second is the stack string we saw generated earlier "ocl.exe"

From our analysis, we can see that the stack strings generated are used to check the file name of the executable before running. We are still unsure how the random string that was generated is used "1qaz2wsx3edc"

After, the file check the executable will call WSAStartup to initialize the use of WinSocket and then creates a socket.

In the next block of code, we see two variables being pushed to a function called sub_401089, which I have renamed to url_XOR_decode, and then pushing the return of that call to gethostbyname ("retrieves host information corresponding to a host name" - MSDN). We can see that the randomly generated stack string is being pushed along with our unknown data chunk to our url_XOR_decode

In IDA looking at this data section, we can see this unknown group of random bytes

Looking at url_XOR_decode, we see a loop happening and see the variable "var_i" being compared to the value "20h", also during this loop we see an XOR ECX, EDX which might entail some xor decoding.

Looking at this routine in xdbg, the executable will loop through the two strings pushed to this function call right before the xor ECX, EDX instruction we can see the values stored in each register, ECX holds 46h which is the first byte from our unknown data chunk and in EDX we see the value "1" which is taken from our random stack string.

After the xor instruction, we can a new character value 'w', looping through the program a few times we can start to see a pattern, the program is iterating through our two strings passed our unknown chunk of data and our stack string and xor's the two values. The resulting string is the malware URL

After the malware has decoded the URL it will return to "main" where it passes the URL to gethostbyname. Following calls are to htons with the value "270Fh" or "9999" in decimal, so the malware will reach out on port 9999. Then makes a call to connect.

After the call to connect, we call sub_401000. We can also see that this malware will continuously loop.

Jumping into the create_process routine, we see a pretty simple code block that appears to be storing values in the StartupInfo Structure. First, we can see the wShowWindow set to zero which won't display a console, next we can see arg_10 is passed into EDX which holds our socket information. The socket then has access to the stdin, stdout, and stderr for cmd.exe. This means that the attacker will essential have a reverse shell on your system any input, output, and error to the console will be sent over the socket to the attacker.

That concludes this analysis, as always I hope you enjoy and learned something along the way with me. If you notice any errors please let me know as I am always learning new things!

Michael Sikorski and Andrew Honig. Practical Malware Analysis: The Hands-On Guide to Dissecting Malicious Software (Kindle Locations 5909-5910). No Starch Press.