Malware Analysis - Part 1: Basic Static Analysis Backdoor Tactics of Dynamic Link Libraries (.dll) and Executables (.exe)
﷽
BB7425B82141A1C0F7D60E5106676BB1 (Lab01-01.exe)
https://virustotal.com/gui/file/f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba/detection
290934C61DE9176AD682FFDD65F0A669 (Lab01-01.dll)
Next, we can check if there's any protection on the file, we can see either file is packed. Both files have small but reasonable numbers of imports and well-formed sections with appropriate sizes.
By examining the file labels this is unpacked code compiled with Microsoft Visual C/C++, which tells us that these files are not packed. The fact that the files have few imports tells us that they are likely small programs and both strings can still readable. The section sizes can be useful in detecting packed executables. For example, if the Virtual Size is much larger than the Size of Raw Data, you know that the section takes up more space in memory than it does on disk. This is often indicative of packed code, particularly if the .text section is larger in memory than on disk.
DLL File |
Executable File |
Next move, we can see the imports hint at what this malware does. The interesting imports from Executable File are FindFirstFile, FindNextFile, and CopyFile. These imports tell us that the program searches the filesystem and copies files.
- https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-findfirstfilea = FindFirstFileA
- https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-findnextfilea = FindNextFileA
- https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-copyfilea = CopyFileA
- https://learn.microsoft.com/en-us/windows/win32/api/synchapi/nf-synchapi-sleep = Sleep
- https://learn.microsoft.com/en-us/windows/win32/api/processthreadsapi/nf-processthreadsapi-createprocessa = CreateProcessA
- https://learn.microsoft.com/en-us/windows/win32/winsock/transport-division-of-responsibilities-between-dll-and-service-providers-2 = WS2_32.dll
Comments
Post a Comment