pma7-1 Analysis

Executive Summary

Installation

This malware is a standalone executable. It might be dropped via a drive by download, manually installed on the computer, or act as a payload for a worm.

Behavior

This malware waits until january 1, 2100 and then attempts a DDOS attack on malwareanalysisbook.com

Persistence

The malware sets itself up as a service named MalService.

Removal

This malware can be detected using a mutext named HGL345 and the service Malservice. It can then be removed by uninstalling the service and rebooting the computer.


File Information

Field Data
Filename Lab07_01.exe
File Size 24576 bytes
MD5 c04fd8d9198095192e7d55345966da2e
SHA1 86ee262230cbf6f099b6086089da9eb9075b4521
SHA256 0c98769e42b364711c478226ef199bfbba90db80175eb1b8cd565aa694c09852
Architecture x86
Compiler
Statically linked False
Stripped False

Strings

Address String XRefs
0x405050 http://www.malwareanalysisbook.com InternetGetMalwareBook
0x405074 Internet Explorer 8.0 InternetGetMalwareBook

Imports

Address Import XRefs
0x4040c0 InternetOpenUrlA InternetGetMalwareBook
0x4040c4 InternetOpenA InternetGetMalwareBook

Important Functions

main: void main(void)

[00] -r-x section size 12288 named .text This is the main function. This calls the function that sets up persistence

SetupPersistence: undefined4 SetupPersistence12,2

This function sets up the service, sets a timer to wait until the specified time, then starts 20 threads that perform the DDOS on the specified URL

InternetGetMalwareBook: void InternetGetMalwareBook(void)

This function makes requests to malwareanalysisbook.com in an infinite loop


Analysis

Below are the answers to the PMA questions for this lab. This malware sets itself up as a service in the fcn.00401040 function. It does so with the following system calls.

0x00401052 call dword [sym.imp.KERNEL32.dll_OpenMutexA]
0x0040105e call dword [sym.imp.KERNEL32.dll_ExitProcess]
0x0040106e call dword [sym.imp.KERNEL32.dll_CreateMutexA]
0x0040107a call dword [sym.imp.ADVAPI32.dll_OpenSCManagerA]
0x00401082 call dword [sym.imp.KERNEL32.dll_GetCurrentProcess]
0x00401094 call dword [sym.imp.KERNEL32.dll_GetModuleFileNameA]
0x004010bc call dword [sym.imp.ADVAPI32.dll_CreateServiceA]
0x004010e5 call dword [sym.imp.KERNEL32.dll_SystemTimeToFileTime]
0x004010f1 call dword [sym.imp.KERNEL32.dll_CreateWaitableTimerA]
0x00401107 call dword [sym.imp.KERNEL32.dll_SetWaitableTimer]
0x00401110 call dword [sym.imp.KERNEL32.dll_WaitForSingleObject]

This program uses a mutex to ensure that only one instance of the program is running at a time. Some good signatures include the mutext named HGL345 and the service MalService. Some good network signatures include the user agent InternetExplorer 8.0 and the communication with malwareanalysisbook.com. This program waits until January 1, 2100 and then attempts a DDOS attack on malwareanalysisbook.com This program will never finish. It creates 20 threads, each of which run in an infinite loop.