Labels

Malware Analysis - Part 1: Basic Static Analysis Backdoor Tactics of Dynamic Link Libraries (.dll) and Executables (.exe)


Hello, cybersecurity enthusiasts! 

We begin our exploration of malware analysis with static analysis, which is usually the first step in analyzing malware to gain a certain amount of insight into its function.

First, we can use file hashes to identify if it's malicious or not. We can take the Message-Digest Algorithm 5 (MD5) (a sort of fingerprint) to search for that hash online to see if the file has already been identified.


We need to use antivirus tools to confirm maliciousness. See if any files match existing antivirus signatures. we can upload the file to VirusTotal

https://www.virustotal.com/gui/file/58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47

BB7425B82141A1C0F7D60E5106676BB1 (Lab01-01.exe)


https://virustotal.com/gui/file/f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba/detection

290934C61DE9176AD682FFDD65F0A669 (Lab01-01.dll)


Next, we can check if there's any protection on the file, we can see either file is packed. Both files have small but reasonable numbers of imports and well-formed sections with appropriate sizes.


By examining the file labels this is unpacked code compiled with Microsoft Visual C/C++, which tells us that these files are not packed. The fact that the files have few imports tells us that they are likely small programs and both strings can still readable. The section sizes can be useful in detecting packed executables. For example, if the Virtual Size is much larger than the Size of Raw Data, you know that the section takes up more space in memory than it does on disk. This is often indicative of packed code, particularly if the .text section is larger in memory than on disk. 

DLL File

Executable File

Next move, we can see the imports hint at what this malware does. The interesting imports from Executable File are FindFirstFile, FindNextFile, and CopyFile. These imports tell us that the program searches the filesystem and copies files.


Most interesting imports from DLL file are CreateProcess and Sleep. We also see that this file imports functions from WS2_32.dll, which provides network functionality.


Next, we can examine the file strings. By examining the executable file, we found C:\Windows\System32\kerne132.dll for additional malicious activity. we note that the file kerne132.dll, with the number 1 instead of the letter l, is meant to look like the system file kernel32.dll. This file can be used as a host indicator to search for the malware.


The .dll file contains a reference to local IP address 127.26.152.13. This address is an artifact of this program having been created for educational and not malicious purposes. If this was real malware, the IP address should be routable, and it would be a good network-based indicator for use in identifying this malware.


From what we can guess within our result for basic static analysts the .dll file is probably a backdoor.
The .exe file is used to install or run the DLL Static analysis is typically only the first step, and further analysis is usually necessary.
I hope this blog post proves beneficial, offering insights that can be valuable in raising awareness,
and empowering cyber defenders to effectively analyze and combat malware. Thank you for your time, enjoy delving into the malware domain, and until we meet again for the next part!

This is a practical case for educational purposes only.
Labels:

Comments

Post a Comment