pma9-1 Analysis

Executive Summary

Installation

This malware can be run as a standalone executable.

Behavior

This malware takes several commands from a command control server, which can include SLEEP, UPLOAD, DOWNLOAD, CMD, or NOTHING. It then performs these actions.

Persistence

This malware persists by installing itself as a service.

Removal

This malware can be removed by running it with the -re flag or uninstalling the service.


File Information

Field Data
Filename /home/chase/github/malware-reports/scripts/Lab09-01.exe
File Size 61440 bytes
MD5 b94af4a4d4af6eac81fc135abda1c40c
SHA1 d6356b2c6f8d29f8626062b5aefb13b7fc744d54
SHA256 6ac06dfa543dca43327d55a61d0aaed25f3c90cce791e0555e3e306d47107859
Architecture x86
Compiler
Statically linked False
Stripped False

Strings

Address String XRefs

Imports

Address Import XRefs

Important Functions

main: undefined4 main(uint32_t arg_8h, uint32_t arg_ch)

This is the main function. Command line arguments are parsed here.

GET_CONFIGURATION: undefined4 GET_CONFIGURATION(int32_t arg_8h, int32_t arg_10h, int32_t arg_18h, int32_t arg_20h)

This function gets the malware configuration

callNetworkingmasters: undefined4 callNetworkingmasters28,1,large

This function checks for the commands SLEEP, UPLOAD, DOWNLOAD, CMD, or NOTHING. It then completes the action.

UPDATE_CONFIGURATION: undefined4 UPDATE_CONFIGURATION(int32_t arg_8h, int32_t arg_ch, int32_t arg_10h, int32_t arg_14h)

This function updates the malware configuration via the SOFTWAREregistry key

PAYLOAD: // WARNING: Removing unreachable block (ram,0x00402408)

This function contains the main malware payload

CHECK_PASSWORD: undefined4 CHECK_PASSWORD(int32_t arg_8h)

This function checks if the password is correct

INSTALL_MALWARE: undefined4 INSTALL_MALWARE(char *lpServiceName)

This function will install the malware

UNINSTALL_MALWARE: undefined4 UNINSTALL_MALWARE(undefined4 lpServiceName)

This function will uninstall the malware


Analysis

The program will install itself as a service if run with the -in flag. There are several command line options. The -in flag will install the malware. The -re flag will remove the malware. The -c flag will update the configuration. The -cc flag will print the configuration. This malware can be pached by changing code after the password check function to an unconditional jump. Host based indicators include the registry key and the service "XYZ Manager service". This malware beacons practicalmalwareanalysis.com.