Analyzing Lab-06-n.exe
Recognizing C Code Constructs in Assembly
Introduction
Chapter Six focused on code constructs in x86 and how malware analysts can easily identify them when walking through the disassembly without digging into details, but develop that instinct to recognize what the code is doing at a higher level. This skill takes time to develop, and spot C code constructs in x86 assembly will prevent from getting lost in details.
Lab 6-1
In this lab, you will analyse the Malware found in the file Lab06-01.exe.
Questions
What is the major code construct found in the only subroutine called by main?
By disassembling the executable starting from the main function, the latter begins with a single call to the procedure sub_401000:
Stepping into this routine we're noticing that there is a compare statement before a JZ jump statement, and by using the graph view we can confirm that this is an indicative of an ‘if’ code construct.
sub_401000 is used to check for Internet connectivity using InternetGetConnectedState.
Below the translation of the assembly code of sub_401000 to C:
What is the subroutine located at 0x40105F?
Stepping into 0x40105F we find the following code:
Using IDA we get some more info, for example, the name of 2 out of 3 functions. So we're aware that:
First a call to __stbuf function. It seems that is passing a reference parameter to a file.
Then, another function is called sub_401282.
Finally, the third function __ftbuf is called with two parameters. The reference to the file and the result of the first function call __stbuf.
A quick search leads us to discover that __stbuf & __stbuf are being declared in the header file internal.h within the .NET Core:
From this we can assume that 0x40105F provides functionality for input/output of files, and if we are looking at the xrefs to 0x40105F, we see only two results:
Both results call sub_40105F right after pushing a string to the stack:
Based on this context we can deduce that this routine is playing the role of the C ‘printf’.
What is the purpose of this program?
As described in the first question based on the C code, the program checks if there’s an active internet connection. If there is an internet connection, it returns 1 otherwise it returns 0.
Lab 6-2
Analyse the malware found in the file Lab06-02.exe.
Questions
What operation does the first subroutine called by main perform?
The first subroutine called by main (sub_401000) is the same we discovered in Lab06-01.exe. It checks the internet connected state of the system.
What is the subroutine located at 0x40117F?
Once again, at 0x40117F we have the C function "printf" function just like in Lab06-01.exe.
What does the second subroutine called by main do?
The second subroutine called by main is at the address 0x401040.
First a call to InternetOpenA where the parameter string szAgent is set to "Internet Explorer 7.5/pma", and if the function successes, it returns a valid handle that can be used on the subsequent WinINET functions. Upon success, InternetOpenUrlA is called using the string "http://www.practicalmalwareanalysis.com/cc.htm" assigned to szUrl.
If the returned value from InternetOpenUrlA is a non-zero value which means returning a valid handle to the URL, then the webpage is read using InternetReadFile into a 512 byte buffer:
What type of code construct is used in this subroutine?
After the call of InternetOpenUrlA, we're spotting 4 cmp instructions being executed:
These cmp instructions compare one value at a time with the values in Buffer, var_20F, var_20E, and var_20D. This suggests that an array of characters is being parsed. The program is verifying if the first four characters in the Buffer array match "<!--", the beginning of an HTML comment. If they do, the fifth character in Buffer[] will be moved into AL.
Are there any network-based indicators for this program?
The URL http://www.practicalmalwareanalysis.com/cc.htm and the user agent Internet Explorer 7.5/pma are the main NBIs.
What is the purpose of this malware?
First, it checks for an active internet connection. If the connection is successful, it will open the URL http://www.practicalmalwareanalysis.com/cc.htm and reads an HTML comment from the page. If it successfully reads the HTML comment, it will print the command that was extracted and then sleep for 60 seconds.
At a high level, the C equivalent for what this malware is doing can be summarized as follows:
Lab 6-3
In this lab, we’ll analyse the Malware found in the file Lab06-03.exe.
Questions
Compare the calls in main to Lab 6-2’s main method. What is the new function called from main ?
The only new function called from main is sub_401130:
What parameters does this new function take?
Stepping into function, we can see that it takes 2 parameters, a char
value, and a lpcstr
value (long pointer constant string).
If we examine how these arguments where passed, we can see 2 items are pushed to the stack before calling this subroutine:
argv: argv represents argv[0] which point to the name of the program
command: is set AL in
loc_401228
which is the return value from the subroutinesub_401040
What major code construct does this function contain?
The function takes command
, subtracts the character a
from it, update command
variable; and command
gets compared to 4. If command
is above 4, we jump to def_401153
default case.
Otherwise, we're recognizing a jump table that properly indexed from 0 to 4, meaning that there are 5 different commands which can be given, each of them have different action. The jump instruction jmp ds:jpt_401153[edx*4]
is where the target is based on the jump table knowing that edx
contains command
value.
In this jump instruction, edx
is multiplied by 4 and added to the base of the jump table 0x004011F2
to infer which case code block to jump to:
What can this function do?
The five switch cases can be summarise as follows:
Depending on the command provided ('a' to 'e') the program will execute the appropriate API calls to perform directory operations or registry modification. lpExistingFileName is the current file, Lab06–03.exe. Setting the registry key Software\Microsoft\Windows\CurrentVersion\Run\Malware with file C:\Temp\cc.exe is a method of persistence to execute the malware on system startup.
Are there any host-based indicators for this malware?
The file location C:\Temp\cc.exe
The registry key to Software\Microsoft\Windows\CurrentVersion\Run
What is the purpose of this malware?
The Malware checks whether or not it has an active connection to the Internet, then retrieves a command from cc.htm Web page. The program then has a set of possible functionalities based upon the contents of cc.htm and the switch code construct to perform one of:
Create directory C:\Temp
Copy the current file (Lab06–03.exe) to C:\Temp\cc.exe
Create persistence for C:\temp\cc.exe for persistence via reg key manipulation
Delete C:\Temp\cc.exe
Sleep the program for 100 seconds
Lab 6-4
In this lab, we’ll analyse the malware found in the file Lab06-04.exe.
Questions
What is the difference between the calls made from the main method in Labs 6-3 and 6-4?
The function calls appear to be the same, but it seems like a for loop was added to the main method.
In this case, is a for loop that will execute 1440 times. Inside this loop the sub_401040
and sub_401150
function are called.
What new code construct has been added to main?
The new code construct is a for loop.
What is the difference between this lab’s parse HTML function and those of the previous labs?
The subroutine sub_401040 in Lab06-04.exe takes a new parameter (ecx – the counter):
This is passed to the user-agent Internet Explorer 7.50/pma%d, with "i" being incremented by 1 each time. This means a different user agent will be used for each attempt to parse the HTML comment.
How long will this program run? (Assume that it is connected to the Internet.)
From the comparison in the for loop, we're aware that there are 1440 iterations. Since the program sleeps for 60 seconds after each call to sub_401150 subroutine, as result the program will run for at least 86400 seconds (24 hours) :
60s * 1440 = 86400s
86400s / 60 = 1440min
1440min / 60 = 24h
The program may run longer if the command within sub_401150 instructs the switch to sleep for 100 seconds during any of the 1440 iterations.
Are there any new network-based indicators for this malware?
The only new NBI for Lab06–04.exe is the User-Agent: "Internet Explorer 7.50/pma%d”
What is the purpose of this malware?
The malware begins as a basic program to check for an internet connection then connects to a C2 web server to retrieve commands and execute specific actions on the host. The malware runs for a minimum of 24 hours, making at least 1440 requests to the C2 domain with 60-second sleep intervals. Its functionality includes copying itself to a new directory, setting itself to autorun for persistence by modifying the registry, deleting the new file, or sleeping for 100 seconds.
Last updated