First step into the dark realm is the hardest to take, it starts with pure blindness, but slowly gives you sight.
I spent one day on learning Assembly basics, and another on C basics, as I knew these two form this reality. Then it was time to begin this new not-ever-seen-before journey! I needed a map, so I chose Practical Malware Analysis Book as my guide.
I read about 100 pages that day, I had to be ready. I also needed safety and security, so I chose Oracle VirtualBox to be the bridge between me and the dark realm. I personally use Linux, but for this purpose I had to use a Windows machine and I installed one on VirtualBox.
Such trip also needs tools, So I chose these:
-
Windows SysInternals: some of these might and will come in handy. -
PE Bear: This one helps me see what's inside a malware, like a flashlight in darkness. -
PEiD: Nice tool for understanding the locks that might show up on my way. -
ResHacker: Shows the resources of the dark forces! Helps me see if there's any picture, binary, etc. inside a file.
Everything seems ready so far, doesn't it? Let's begin the journey!
First Lab: Pure Confusion!
As I started the first lab, I was so goddamn confused about it! I didn't know what to look for, or even where to look for things!
You can access the labs here
Strings
I opened PowerShell inside the lab folder, and used strings (which is a part of sysinternals) to extract any string found in the lab malware :
strings .\Lab01-01.exe
The result was a huge list of nonsense character combinations, except for some who actually made sense:
CloseHandle
UnmapViewOfFile
IsBadReadPtr
MapViewOfFile
CreateFileMappingA
CreateFileA
FindClose
FindNextFileA
FindFirstFileA
CopyFileA
KERNEL32.dll
malloc
exit
MSVCRT.dll
_exit
_XcptFilter
__p___initenv
__getmainargs
_initterm
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
__set_app_type
_except_handler3
_controlfp
_stricmp
kerne132.dll
kernel32.dll
.exe
C:\*
C:\windows\system32\kerne132.dll
Kernel32.
Lab01-01.dll
C:\Windows\System32\Kernel32.dll
WARNING_THIS_WILL_DESTROY_YOUR_MACHINE
Feeling confused? So did I! But I was not afraid of these, I started searching for some of them on the internet, mostly in Microsoft Developers Network.
Is it packed?
Then I checked the file using PEiD to make sure it's not packed or anything, and it wasn't.
So I immediately took the next step.
Resources and Imports
I used ResHacker, only to see that it doesn't have any resources! So I used PE Bear to analyse it a bit. I checked the dependencies and imports, and also headers.
Connecting the Dots
I could understand that this malware does something, but I didn't know what. I looked more carefully, and I finally found something. There where to files mentioned in the strings result: a) a Kernel32.dll and b) a Kerne132.dll, and the latter was spelled with a one instead of an l. Considering this and imports, I guessed that this malware tries to create a file with a name similar to a system file, and hides it somewhere. It could be a backdoor.
There was also another file: lab01-01.dll, most interesting parts of which were the imports. It was obvious that this file would create a process and add maybe add it to the system startup.
It was definitely a backdoor-installing malware.
This was just a beginning, there were and there are many other labs to try! I'll write about them soon...
Create. Love. Improve.
--A. Aryani
Top comments (0)