Malware Analysis Part 2: Using RemNux
Malware Analysis Part 2 - By Using Multiple Tools on Remnux Machine {Peframe, Pyew, Upx, Pescanner, ExeScan}
————————————————————————————————————————————————————
remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02.exe
Short information
------------------------------------------------------------
File Name Lab01-02.exe
File Size 3072 byte
Compile Time 2011-01-19 11:10:41
DLL False
Sections 3
Hash MD5 8363436878404da0ae3e46991e355b83
Hash SHA-1 5a016facbcb77e2009a01ea5c67b39af209c3fcb
Imphash 096aa05b8a2e1f2dc66fc73a1a978a7b
Detected Packer
Directory Import
Packer matched [1]
------------------------------------------------------------
Packer UPX -> www.upx.sourceforge.net
Suspicious API discovered [8]
------------------------------------------------------------
Function CreateServiceA
Function ExitProcess
Function GetProcAddress
Function InternetOpenA
Function LoadLibraryA
Function VirtualAlloc
Function VirtualFree
Function VirtualProtect
Suspicious Sections discovered [2]
------------------------------------------------------------
Section UPX0
Hash MD5 d41d8cd98f00b204e9800998ecf8427e
Hash SHA-1 da39a3ee5e6b4b0d3255bfef95601890afd80709
Section UPX1
Hash MD5 ad0f236c2b34f1031486c8cc4803a908
Hash SHA-1 bd7ea516ea0f96cc57d5b7c008db3de3a2f6d0f5
File name discovered [4]
------------------------------------------------------------
Library ADVAPI32.dll
Library KERNEL32.DLL
Library MSVCRT.dll
Library WININET.dll
Use Upx to unpack this malware:
remnux@remnux:~/Desktop/Labs/Chapter_1L$ upx -o Lab01-02_unpack.exe -d Lab01-02.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.91 Markus Oberhumer, Laszlo Molnar & John Reiser Sep 30th 2013
File size Ratio Format Name
-------------------- ------ ----------- -----------
16384 <- 3072 18.75% win32/pe Lab01-02_unpack.exe
Unpacked 1 file.
Re-examine using Peframe:
remnux@remnux:~/Desktop/Labs/Chapter_1L$ peframe Lab01-02_unpack.exe
Short information
------------------------------------------------------------
File Name Lab01-02_unpack.exe
File Size 16384 byte
Compile Time 2011-01-19 11:10:41
DLL False
Sections 3
Hash MD5 ae4ca70697df5506bc610172cfc288e7
Hash SHA-1 31e8a82e497058ff14049cf283b337ec51504819
Imphash 546068cc295ad7d6b32786401b41bdb8
Detected Packer
Directory Import
Packer matched [3]
------------------------------------------------------------
Packer Microsoft Visual C++ v6.0
Packer Microsoft Visual C++ 5.0
Packer Microsoft Visual C++
Suspicious API discovered [7]
------------------------------------------------------------
Function CreateServiceA
Function CreateThread
Function ExitProcess
Function GetModuleFileNameA
Function InternetOpenA
Function InternetOpenUrlA
Function StartServiceCtrlDispatcherA
Suspicious Sections discovered [1]
------------------------------------------------------------
Section .data
Hash MD5 970df75ba1c3aff3a3975834bb873a9a
Hash SHA-1 53dc4f4a0f574d4cb220330ea41c9c2610f7b65e
File name discovered [4]
------------------------------------------------------------
Library ADVAPI32.dll
Library KERNEL32.DLL
Library MSVCRT.dll
Library WININET.dll
Url discovered [1]
------------------------------------------------------------
remnux@remnux:~/Desktop/Labs/Chapter_1L$ pescanner Lab01-02_unpack.exe
##########################################################################################
[0] File: Lab01-02_unpack.exe
##########################################################################################
Meta-data
==========================================================================================
Size : 16384 bytes
Type : PE32 executable (console) Intel 80386, for MS Windows
Architecture : 32 Bits binary
MD5 : ae4ca70697df5506bc610172cfc288e7
SHA1 : 31e8a82e497058ff14049cf283b337ec51504819
ssdeep : 48:a2SWLML7kulJknJmD+jtx7MBqc9xDsYjWHlJR:6Rj/kJs+jtx7MIc9xD1jWHj
imphash : 546068cc295ad7d6b32786401b41bdb8
Date : 0x4D370D01 [Wed Jan 19 16:10:41 2011 UTC]
Language : []
CRC: (Claimed) : 0x0, (Actual): 0xb6d0 [SUSPICIOUS]
Packers : Armadillo v1.71
Entry Point : 0x401190 .text 0/3
================
Offset | Instructions
----------------------------------------
0 push ebp
1 mov ebp,esp
3 push byte 0xffffffff
5 push dword 0x402080
10 push dword 0x4012d0
15 mov eax,fs:[0x0]
21 push eax
22 mov fs:[0x0],esp
29 sub esp,0x20
32 push ebx
33 push esi
34 push edi
35 mov [ebp-0x18],esp
38 and dword [ebp-0x4],0x0
42 push byte 0x1
44 call [0x402060]
50 pop ecx
51 or dword [0x403080],0xffffffff
58 or dword [0x403084],0xffffffff
65 call [0x40205c]
71 mov ecx,[0x40307c]
77 mov [eax],ecx
79 call [0x402058]
85 mov ecx,[0x403078]
91 mov [eax],ecx
93 mov eax,[0x402054]
98 mov eax,[eax]
Sections
==========================================================================================
Name VirtAddr VirtSize RawSize MD5 Entropy
———————————————————————————————————————
.text 0x1000 0x2dc 0x1000 609b1b1db5d19ea022434ed566bf0857 1.384810
.rdata 0x2000 0x372 0x1000 9ac81969eb76e11ea1d631e514a32a53 1.170875
.data 0x3000 0x8c 0x1000 970df75ba1c3aff3a3975834bb873a9a 0.237965 [SUSPICIOUS]
Imports
==========================================================================================
[1] KERNEL32.DLL
[2] ADVAPI32.dll
[3] MSVCRT.dll
[4] WININET.dll
Suspicious IAT alerts
==========================================================================================
[1] CreateServiceA
[2] CreateThread
[3] GetModuleFileNameA
[4] InternetOpenA
[5] InternetOpenUrlA
[6] StartServiceCtrlDispatcherA
remnux@remnux:~/Desktop/Labs/Chapter_1L$ pyew Lab01-02_unpacked.exe
PE Information
Sections:
.text 0x1000 0x2dc 4096
.rdata 0x2000 0x372 4096
.data 0x3000 0x8c 4096
Entry Point at 0x1190
Virtual Address is 0x401190
Code Analysis ...
Analyzing address 0x000012c1 - 0 in queue / 8 total
0000 4D 5A 90 00 03 00 00 00 04 00 00 00 FF FF 00 00 MZ..............
0010 B8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@.......
0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0030 00 00 00 00 00 00 00 00 00 00 00 00 E0 00 00 00 ................
0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ........!..L.!Th
0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
0080 E3 C1 65 8F A7 A0 0B DC A7 A0 0B DC A7 A0 0B DC ..e.............
0090 4F BF 01 DC AC A0 0B DC 24 BC 05 DC A6 A0 0B DC O.......$.......
00A0 4F BF 0F DC A5 A0 0B DC A7 A0 0B DC A3 A0 0B DC O...............
00B0 A7 A0 0A DC BC A0 0B DC C5 BF 18 DC A2 A0 0B DC ................
00C0 4F BF 00 DC A5 A0 0B DC 52 69 63 68 A7 A0 0B DC O.......Rich....
00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00E0 50 45 00 00 4C 01 03 00 01 0D 37 4D 00 00 00 00 PE..L.....7M....
00F0 00 00 00 00 E0 00 0F 01 0B 01 06 00 00 10 00 00 ................
0100 00 20 00 00 00 00 00 00 90 11 00 00 00 10 00 00 . ..............
0110 00 20 00 00 00 00 40 00 00 10 00 00 00 10 00 00 . ....@.........
0120 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 ................
0130 00 40 00 00 00 10 00 00 00 00 00 00 03 00 00 00 .@..............
0140 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 ................
0150 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 ................
0160 8C 20 00 00 64 00 00 00 00 00 00 00 00 00 00 00 . ..d...........
0170 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01A0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01B0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01D0 00 00 00 00 00 00 00 00 2E 74 65 78 74 00 00 00 .........text...
01E0 DC 02 00 00 00 10 00 00 00 10 00 00 00 10 00 00 ................
01F0 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 ............ ..`
[0x00000000]> imports
KERNEL32.DLL
0x402010 SystemTimeToFileTime
0x402014 GetModuleFileNameA
0x402018 CreateWaitableTimerA
0x40201c ExitProcess
0x402020 OpenMutexA
0x402024 SetWaitableTimer
0x402028 WaitForSingleObject
0x40202c CreateMutexA
0x402030 CreateThread
ADVAPI32.dll
0x402000 CreateServiceA
0x402004 StartServiceCtrlDispatcherA
0x402008 OpenSCManagerA
MSVCRT.dll
0x402038 _exit
0x40203c _XcptFilter
0x402040 exit
0x402044 __p___initenv
0x402048 __getmainargs
0x40204c _initterm
0x402050 __setusermatherr
0x402054 _adjust_fdiv
0x402058 __p__commode
0x40205c __p__fmode
0x402060 __set_app_type
0x402064 _except_handler3
0x402068 _controlfp
WININET.dll
0x402070 InternetOpenUrlA
0x402074 InternetOpenA
[0x00000000]> url
ASCII URLs
http://www.malwareanalysisbook.com
[0x00000000]> md5
md5: ae4ca70697df5506bc610172cfc288e7
[0x00000000]> sc
[0x00000000]> antivm
[0x00000000]> pdf
PDFiD 0.0.11 Lab01-02_unpacked.exe
Not a PDF document
[0x00000000]> threat
[0x00000000]> c1461296266075 addons.xpi WARN Exception running bootstrap method startup on firebug@software.joehewitt.com: TypeError: FirebugGCLICommands is undefined (resource://gre/modules/addons/XPIProvider.jsm -> file:///usr/lib/firefox/browser/extensions/firebug@software.joehewitt.com/bootstrap.js:78:5) JS Stack trace: startup@resource://gre/modules/addons/XPIProvider.jsm -> file:///usr/lib/firefox/browser/extensions/firebug@bootstrap.js:78:5 < this.XPIProvider.callBootstrapMethod@XPIProvider.jsm:4658:9 < this.XPIProvider.updateAddonDisabledState@XPIProvider.jsm:4785:1 < this.XPIProvider.updateAddonAppDisabledStates@XPIProvider.jsm:4126:7 < this.XPIProvider.observe@XPIProvider.jsm:4236:9 < DIST_applyCustomizations@distribution.js:245:5 < BG__finalUIStartup@nsBrowserGlue.js:779:5 < BG_observe@nsBrowserGlue.js:287:9
1461296266123 addons.xpi WARN Exception running bootstrap method shutdown on firebug@software.joehewitt.com: TypeError: FirebugGCLICommands is undefined (resource://gre/modules/addons/XPIProvider.jsm -> file:///usr/lib/firefox/browser/extensions/firebug@software.joehewitt.com/bootstrap.js:104:5) JS Stack trace: shutdown@resource://gre/modules/addons/XPIProvider.jsm -> file:///usr/lib/firefox/browser/extensions/firebug@bootstrap.js:104:5 < this.XPIProvider.callBootstrapMethod@XPIProvider.jsm:4658:9 < this.XPIProvider.updateAddonDisabledState@XPIProvider.jsm:4777:1 < this.XPIProvider.updateAddonAppDisabledStates@XPIProvider.jsm:4126:7 < this.XPIProvider.observe@XPIProvider.jsm:4236:9 < DIST_applyCustomizations@distribution.js:245:5 < BG__finalUIStartup@nsBrowserGlue.js:779:5 < BG_observe@nsBrowserGlue.js:287:9
0x00000000 (01) 4d DEC EBP
0x00000001 (01) 5a POP EDX
0x00000002 (01) 90 NOP
0x00000003 (02) 0003 ADD [EBX], AL
0x00000005 (02) 0000 ADD [EAX], AL
0x00000007 (03) 000400 ADD [EAX+EAX], AL
0x0000000a (02) 0000 ADD [EAX], AL
0x0000000c (01) ff DB 0xff
0x0000000d (02) ff00 INC DWORD [EAX]
0x0000000f (06) 00b8 00000000 ADD [EAX+0x0], BH
0x00000015 (02) 0000 ADD [EAX], AL
0x00000017 (03) 0040 00 ADD [EAX+0x0], AL
0x0000001a (02) 0000 ADD [EAX], AL
0x0000001c (02) 0000 ADD [EAX], AL
0x0000001e (02) 0000 ADD [EAX], AL
0x00000020 (02) 0000 ADD [EAX], AL
0x00000022 (02) 0000 ADD [EAX], AL
0x00000024 (02) 0000 ADD [EAX], AL
0x00000026 (02) 0000 ADD [EAX], AL
0x00000028 (02) 0000 ADD [EAX], AL
0x0000002a (02) 0000 ADD [EAX], AL
0x0000002c (02) 0000 ADD [EAX], AL
0x0000002e (02) 0000 ADD [EAX], AL
0x00000030 (02) 0000 ADD [EAX], AL
0x00000032 (02) 0000 ADD [EAX], AL
0x00000034 (02) 0000 ADD [EAX], AL
0x00000036 (02) 0000 ADD [EAX], AL
0x00000038 (02) 0000 ADD [EAX], AL
0x0000003a (02) 0000 ADD [EAX], AL
0x0000003c (02) e0 00 LOOPNZ 0x0000003e ; 1
0x0000003c ----------------------------------------------------------------------
0x0000003e (02) 0000 ADD [EAX], AL
0x00000040 (01) 0e PUSH CS
0x00000041 (01) 1f POP DS
0x00000042 (05) ba 0e00b409 MOV EDX, 0x9b4000e
0x00000047 (02) cd 21 INT 0x21
0x00000049 (05) b8 014ccd21 MOV EAX, 0x21cd4c01
0x0000004e (01) 54 PUSH ESP
0x0000004f (05) 68 69732070 PUSH 0x70207369
0x00000054 (02) 72 6f JB 0x000000c5 ; 2
0x00000054 ----------------------------------------------------------------------
Comments
Post a Comment