Executive Summary
Installation
This malware can be run as a standalone executable.
Behavior
This malware takes several commands from a command control server, which can include SLEEP, UPLOAD, DOWNLOAD, CMD, or NOTHING. It then performs these actions.
Persistence
This malware persists by installing itself as a service.
Removal
This malware can be removed by running it with the -re flag or uninstalling the service.
File Information
| Field | Data |
|---|---|
| Filename | /home/chase/github/malware-reports/scripts/Lab09-01.exe |
| File Size | 61440 bytes |
| MD5 | b94af4a4d4af6eac81fc135abda1c40c |
| SHA1 | d6356b2c6f8d29f8626062b5aefb13b7fc744d54 |
| SHA256 | 6ac06dfa543dca43327d55a61d0aaed25f3c90cce791e0555e3e306d47107859 |
| Architecture | x86 |
| Compiler | |
| Statically linked | False |
| Stripped | False |
Strings
| Address | String | XRefs |
|---|
Imports
| Address | Import | XRefs |
|---|
Important Functions
main: undefined4 main(uint32_t arg_8h, uint32_t arg_ch)
This is the main function. Command line arguments are parsed here.
GET_CONFIGURATION: undefined4 GET_CONFIGURATION(int32_t arg_8h, int32_t arg_10h, int32_t arg_18h, int32_t arg_20h)
This function gets the malware configuration
callNetworkingmasters: undefined4 callNetworkingmasters28,1,large
This function checks for the commands SLEEP, UPLOAD, DOWNLOAD, CMD, or NOTHING. It then completes the action.
UPDATE_CONFIGURATION: undefined4 UPDATE_CONFIGURATION(int32_t arg_8h, int32_t arg_ch, int32_t arg_10h, int32_t arg_14h)
This function updates the malware configuration via the SOFTWAREregistry key
PAYLOAD: // WARNING: Removing unreachable block (ram,0x00402408)
This function contains the main malware payload
CHECK_PASSWORD: undefined4 CHECK_PASSWORD(int32_t arg_8h)
This function checks if the password is correct
INSTALL_MALWARE: undefined4 INSTALL_MALWARE(char *lpServiceName)
This function will install the malware
UNINSTALL_MALWARE: undefined4 UNINSTALL_MALWARE(undefined4 lpServiceName)
This function will uninstall the malware
Analysis
The program will install itself as a service if run with the -in flag. There are several command line options. The -in flag will install the malware. The -re flag will remove the malware. The -c flag will update the configuration. The -cc flag will print the configuration. This malware can be pached by changing code after the password check function to an unconditional jump. Host based indicators include the registry key and the service "XYZ Manager service". This malware beacons practicalmalwareanalysis.com.