| layout | permalink | title |
|---|---|---|
default |
/RE101/section6.1/ |
Dynamic Analysis |
Go Back to Reverse Engineering Malware 101
Congrats, you made it through the workshop. All of your notes and debugging should have gotten you to come up with a similar control flow like the diagram and report below.
Click to Enlarge
Filename: Unkown.exe
Sha256: a635f37c16fc05e554a6c7b3f696e47e8eaf3531407cac27e357851cb710e615
This file creates a copy of itself in the %APPDATA% location, sets persistence mechanisms, and beacons to definitely-not-evil.com. If beacon is successful, it will open a messagebox, then decrypt the resource which will then spawn a shell window to open the resource.
The file is UPX packed
Import Functions:
- GetEnvironmentVariable
- CopyFile
- DeleteFile
- InternetOpen
- InternetConnect
- HttpOpenRequest
- HttpSendRequest
- MessageBox
- FindResource
- CryptStringToBinary
- CreateFile
- ShellExecute
- CreateProcess
CreateFile C:\Users\victim\AppData\Roaming\dope.exe CreateFile icon.gif
GET /ayy HTTP/1.1
Content-Type: text/html
MySpecialHeader: whatever
User-Agent: definitely-not-evil.com
Host: definitely-not-evil.com
Cache-Control: no-cache
RegQueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Run\dope
Processes Created dope.exe
-
Starts by decoding xor strings
-
Checks to see if dope.exe already exists in %APPDATA%
-
If it doesn't exist create a copy of itself to %APPDATA% as dope.exe
-
Set the startup registry key
-
Start the newly copied dope.exe process
-
Delete the original
-
Dope.exe will check the registry key if set
-
Call out to definitely-not-evil.com
-
If the result is "lmao" it will open a messagebox and extract the resource
-
Base64 decode the resource
-
Save decoded resource as icon.gif
-
Shellexecute to open icon.gif