1 minute read

Chapter 3

Note on VM Setup:

For Lab 3 of Practical Malware Analysis, my initial analysis environment consisted of a Windows 10 virtual machine configured with FLARE VM.

However, during the course of the lab, I encountered malware samples that were packed with UPX and designed to run specifically on older Windows systems—namely Windows XP. Furthermore, the lab exercises required dynamic analysis, including running the samples to observe their behavior, something that became problematic in the modern FLARE VM environment due to compatibility issues.

To address these issues, I set up a Windows XP virtual machine dedicated to (partial) dynamic malware analysis.

Lab 3-1:

Hashes:

!!!

Question 1: What are this malware’s imports and strings?

Imports:

Only ExitProcess from kernel32.dll is exposed at this point. (PEiD suggests that binary might be packed with PEncrypt 3.1 Final).

Assumptions based on static analysis:

  1. Dropped vmx32to64.exe (?)
  2. WinVMX32-mutex (?) After dynamic analysis:

Question 3: Are there any useful network-based signatures for this malware? If so, what are they?

Based on Basic Static Analysis: Reference to: www[.]practicalmalwareanalysis[.]com

Lab 3-2:

Hashes:

!!!!

Question 1: How can you get this malware to install itself?

Question 2: How would you get this malware to run after installation?

Question 3: How can you find the process under which this malware is running?

Question 4: Which filters could you set in order to use procmon to glean information?

Question 5: What are the malware’s host-based indicators?

Question 6: Are there any useful network-based signatures for this malware?

Lab 3-3:

Question 1. What do you notice when monitoring this malware with Process Explorer?

Question 2. Can you identify any live memory modifications?

Question 3. What are the malware’s host-based indicators?

Question 4. What is the purpose of this program?

Lab 3-4:

Question 1. What happens when you run this file?

Question 2. What is causing the roadblock in dynamic analysis?

Question 3. Are there other ways to run this program?

You May Also Enjoy

[WiP] Hack The Box - Subatomic WriteUp

less than 1 minute read

Welcome to this Sherlock challenge, where I’ll embark on a thrilling investigation to dissect the malware, regain control of Forela’s account, and thwart fu...

TryHackMe - Basic Malware RE

2 minute read

Greetings, fellow tech enthusiasts and security adventurers! This blog chronicles my journey into the cryptic world of malware analysis and reverse engineeri...