Malware Analysis
Published in

Malware Analysis

Practical Malware Analysis

Lab 6 — C Code Constructs in Assembly

Solutions for Lab 6 within Practical Malware Analysis.

Following on from Lab 5 — IDA Pro, we get more comfortable looking at assembly, using IDA Pro, and recognising common C code constructs such as if statements, for and while loops, switches and structs, in order to gain an understanding of a program’s functionality.

Lab 6 builds upon each of the programs analysed, so we are to expect to see similarities along with increasing complexity.

Practical Malware Analysis
Download Labs

________________________________________________________________

Lab06–01.exe

Analyze the malware found in the file Lab06–01.exe.

1. What is the major code construct found in the only subroutine called by main?
2. What is the subroutine located at 0x40105F?
3. What is the purpose of this program?

1. What is the major code construct found in the only subroutine called by main?

Before we start, it is worth noting that sometimes IDA does not recognise the main subroutine. We can find this quite quickly by traversing from the start function and finding sub_401040. This is main as it contains the required parameters (argc and **argv). I renamed the subroutine to main (figure 1).

Figure 1: Lab06–01 | main subroutine

Navigating into the first subroutine called in main (sub_401000) (figure 2), we see it executes an external API call InternetGetConnectedState, which returns a TRUE if the system has an internet connection, and FALSE otherwise. This is followed by a comparison against 0 (FALSE) and then a JZ (Jump If Zero). This means the jump will be successful if InternetGetConnectedState returns FALSE (0) (There is no internet connection).

Figure 2: Lab06–01 | sub_401000 internet connection test

Therefore, the jump path (short loc_40102B) is taken and the string returned will be ‘Error 1.1: No Internet\n’.

InternetGetConnectedState returns TRUE, then the jump is not successful, and the returned string is ‘Success: Internet Connection\n’.

Based upon this, it can be determined that the major code construct is a basic If Statement.

2. What is the subroutine located at 0x40105F?

Given the proximity to the strings at the offset addresses in each path, it can be assumed that sub_40105F is printf, a function used to print text with formatting (supported by the \n for newline in the strings).

IDA didn’t automatically pick this up for me, but with some cross-referencing and looking into what we would expect as parameters, we can be safe in the assumption.

3. What is the purpose of this program?

Lab06–01.exe is a simple program to test for internet connection. It utilises API call InternetGetConnectedState to determine whether there is internet, and prints an advisory string accordingly.

Lab06–02.exe

Analyze the malware found in the file Lab06–02.exe.

1. What operation does the first subroutine called by main perform?
2. What is the subroutine located at 0x40117F?
3. What does the second subroutine called by main do?
4. What type of code construct is used in this subroutine?
5. Are there any network-based indicators for this program?
6. What is the purpose of this malware?

Lab06–02.exe follows on from Lab06–01.exe, with similar concepts albeit a bit more complexity to the binary.

1 & 2. What operation does the first subroutine called by main perform? What is the subroutine located at 0x40117F?

This is very similar to Lab06–01.exe. We can easily find the main subroutine again (this time sub_401130), and again we see the first subroutine called is sub_401000. This is very similar as it calls InternetGetConnectedState and prints the appropriate message (figure 3). We also can verify that 0x40117F is still the printf function, which I’ve renamed.

Figure 3: Lab06–02 | sub_401000 internet connection test & sub_40117F (printf)

3. What does the second subroutine called by main do?

This is something new now; the main function in lab06–02.exe is a little more complex with an added subroutine and another conditional statement (figure 4). We can see that sub_401040 is reached by the preceding cmp to 0 being successful (jnz jump if not 0), which therefore means we’re hoping for the returned value from sub_401000 to be not 0 — indication there IS internet connection.

Figure 4: Lab06–02 | main subroutine

Navigating to sub_401040, we immediately see some key information, which supports the determination that this occurs if there is an internet connection.

The most stand-out information is the two API calls, InternetOpenA and InternetOpenUrlA, which are used to initiate an internet connection and open a URL. We also see some strings at offset addresses just before these, indicating these are passed to the API calls (figure 5).

Figure 5: Lab06–02 | Internet connection API calls and strings

First, szAgent containing string “Internet Explorer 7.5/pma”, which is a User-Agent String, is passed to InternetOpenA.
szUrl contains the string “http://www.practicalmalwareanalysis.com/cc.htm” which is the URL for InternetOpenUrlA.

This has another jnz where the jump is not taken if hFile returned from InternetOpenUrlA is 0 (meaning no file was downloaded), where a message is printed “Error 2.2: Fail to ReadFile\n” and the internet connection is closed.

4. What type of code construct is used in sub_40140?

If szURl is found, the program attempts to read 200h (512) bytes of the file (cc.htm) using the API call InternetReadFile (the jnz unsuccessful path leads to “Error 2.2: Fail to ReadFile\n” printed and connections closed) (figure 6).

Figure 6: Lab06–02 | Reading first 4 bytes of cc.htm

There are then four cmp / jnz blocks which each comparing a single byte from the Buffer and several variables. These may also be seen as Buffer+1, Buffer+2, etc. This is a notable code construct in which a character array is filled with data from InternetReadFile and is read one by one.

These values have been converted (by pressing R) to ASCII. Combined these read <!--, indicative of the start of a comment in HTML. If the value comparisons are successful, then var_20C (likely the whole 512 byes in Buffer, but just mislabeled by IDA) is read. If at any point a byte read is incorrect, then an alternative path is taken and the string “Error 2.3: Fail to get command\n” is printed.

Looking back at main, if this all passes with no issues, the string “Success: Parsed command is %c\n” is printed and the system does Sleep for 60000 milliseconds (60 seconds) (figure 7). The command printed (displayed through formatting of %c is variable var_8) is the returned value from sub_401040, the contents of cc.htm.

Figure 7: Lab06–02 | Reporting successful read of command and sleeping for 60 seconds

5. Are there any network-based indicators for this program?

The key NBIs (network-based indicators) from the program are the user-agent string and URL found related to the InternetOpenA and InternetOpenUrlA calls; Internet Explorer 7.5/pma and http://www.practicalmalwareanalysis.com/cc.htm

6. What is the purpose of this malware?

Very similar to Lab06–01.exe, Lab06–02.exe tests for internet connection and prints an appropriate message. Upon successful connection, however, the program then attempts to download and read the file from http://www.practicalmalwareanalysis.com/cc.htm.

Figure 8: Lab06–02.exe | Tested execution

Upon testing, this file is not available on the server. The program did not successfully read the required first 4 bytes therefore an error message was printed (figure 8).

Lab06–03.exe

Analyze the malware found in the file Lab06–03.exe.

1. Compare the calls in main to Lab06–02.exe’s main method. What is the new function called from main?
2. What parameters does this new function take?
3. What major code construct does this function contain?
4. What can this function do?
5. Are there any host-based indicators for this malware?
6. What is the purpose of this malware?

Lab06–03.exe again follows on from the previous lab, adding further complexity.

1. Compare the calls in main to Lab06–02.exe’s main method. What is the new function called from main?

For both executables, I have renamed all of the functions that we have already analysed. The differentiator between the two is an additional function once internet connection has been tested, the file has been downloaded, and the successful parsing of the command message has been printed — sub_401130 (figure 9).

Figure 9: Lab06–03.exe | Comparisons of Lab06–03.exe (left) and Lab06–02.exe (right) main functions

2. What parameters does this new function take?

sub_401130 takes 2 parameters. The first is char, the command character read from http://www.practicalmalwareanalysis.com/cc.htm and lpExistingFileName (a long pointer to a character string, ‘Existing File Name’, which is the program’s name ( Lab06–03.exe) (figure 10). These were both pushed onto the stack as part of the main function.

Figure 10: Lab06–03.exe | sub_401130 parameters.

3. What major code construct does this function contain?

IDA has helpfully indicated that the major code construct is a five-case switch statement by adding comments for 'switch 5 cases' and the 'jumptable 00401153 default case'. We have previously seen similar cmp which are if statements, however, in this case, there is a possibility of five paths. We can confirm this in the flowchart graph view, where there are five switch cases and one default case (figure 11).

Figure 11: Lab06–03.exe | sub_401130 flowchart

4. What can this function do?

The five switch cases are as follows (figure 12):

Figure 12: Lab06–03.exe | sub_401130 switch cases

Depending on the command provided (0–4) the program will execute the appropriate API calls to perform directory operations or registry modification. lpExistingFileName is the current file, Lab06–03.exe. Setting the registry key Software\Microsoft\Windows\CurrentVersion\Run\Malware with file C:\Temp\cc.exe is a method of persistence to execute the malware on system startup.

5. Are there any host-based indicators for this malware?

The key HBIs (host-based indicators) are the file written to disk (C:\Temp\cc.exe), and the registry key used for persistence ( Software\Microsoft\Windows\CurrentVersion\Run /v Malware | C:\Temp\cc.exe)

6. What is the purpose of this malware?

Following on from the functionality of the simpler Lab06–01.exe and Lab06–02.exe, Lab06–03.exe also tests for internet connection and prints an appropriate message. The program attempts to download and read the file from http://www.practicalmalwareanalysis.com/cc.htm. The program then has a set of possible functionalities based upon the contents of cc.htm and the switch code construct to perform one of:

  • Create directory C:\Temp
  • Copy the current file (Lab06–03.exe) to C:\Temp\cc.exe
  • Set the Run registry key as Malware | C:\temp\cc.exe for persistence
  • Delete C:\Temp\cc.exe
  • Sleep the program for 100 seconds

Lab06–04.exe

Analyze the malware found in the file Lab06–04.exe.

1. What is the difference between the calls made from the main method in Lab06–03.exe and Lab06–04.exe?
2. What new code construct has been added to main?
3. What is the difference between this lab’s parse HTML function and those of the previous labs?
4. How long will this program run? (Assume that it is connected to the Internet.)
5. Are there any new network-based indicators for this malware?
6. What is the purpose of this malware?

1. What is the difference between the calls made from the main method in Lab06–03.exe and Lab06-04.exe?

Figure 13: Lab06–04.exe | Modified downloadFile function with arg_0

Of the subroutines called from main we have analysed (renamed to testInternet, printf, downloadFile, and commandSwitch) only downloadFile has seen a notable change. The aInternetExplor address contains the value Internet Explorer 7.50/pma%d for the user-agent (szAgent) which includes an %d not seen previously, as well as a new local variable arg_0 (figure 13).

This instructs the printf function to take the passed variable arg_0 as an argument and print as an int. The variable is a parameter taken in the calling of downloadFile , donated by IDA as var_C(figure 14).

Figure 14: Lab06–04.exe | Variable passed to downloadFile

Some of the called subroutines have different memory addresses to what we saw in the previous Lab06–0X.exes, due to the main function being somewhat more complex and expanded.

2. What new code construct has been added to main?

main has been developed upon to include a for loop code construct, as observed in the flowchart graph view (figure 15).

Figure 15: Lab06–04.exe | For loop within main

A for loop code construct contains four main components — initialisation, comparison, execution, and increment. All of which are observed within main (figure 16):

Figure 16: Lab06–04.exe | For loop components

3. What is the difference between this lab’s parse HTML function and those of the previous labs?

As previously identified, the parse HTML function (downloadFile) now includes a passed variable. Having analysed this and main, we can determine that it is the for loop’s current conditional variable (var_C) value which is passed through to downloadFile’s user-agent Internet Explorer 7.50/pma%d, as arg_0 as this will increment by 1 each time, it may potentially be used to indicate how many times it has been run.

4. How long will this program run? (Assume that it is connected to the Internet.)

There are several aspects of main’s for loop which can help us roughly work how long the program will run. Firstly, we know that there is a Sleep for 60 seconds, after the commandSwitch function. We also know that the conditional variable (var_C) is incremented by 1 each loop. (Figure 17).

Figure 167: Lab06–04.exe | Sleep function and for loop increment

The for loop starts var_C at 0, and will break the loop once it reaches 1440. This means that there are 1440 60second loops, equalling 86400 seconds (24hours). The program may run for longer if the command instructs the switch within commandSwitch to sleep for 100seconds at any of the 1440 iterations.

5. Are there any new network-based indicators for this malware?

The only new NBI for Lab06–04.exe is the aInternetExplorInternet Explorer 7.50/pma%d”, with “http://www.practicalmalwareanalysis.com/cc.htm” as the other, already known, indicator.

6. What is the purpose of this malware?

Lab06–04.exe is the most complex of the four samples, where a basic program to check for internet connection has been developed into an application that connects to a C2 domain to retrieve commands and perform specific actions on the host. The malware runs for a minimum of 24hrs or at least makes 1440 connections to the C2 domain with 60-second sleep intervals. The functionality of the malware allows it to copy itself to a new directory, set it as autorun for persistence by modifying a registry, delete the new file, or sleep for 100 seconds.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Chris Eastwood

Incident Response, Forensic Investigations, and Threat Hunting professional, writing things to learn them better.