PMA 2. Unpacking

Examining the Strings in Lab01-02.exe with BinText

Examine the strings in Lab01-02.exe with BinText.

There are only a few strings, and they call only a few ordinary Windows API commands, as shown below.

These strings aren't from the malware--they are from the UPX packer, as we will show below.

Examining the File with PEiD

Run PEiD on the file. It shows that the file is packed with UPX, as shown in the "EP Section" below.

Examining the File with PEview

Run PEview on the file. The file has sections labeled UPX0, UPX1, and UPX2, as shown below.

These are section names produced by the UPX packer.

Unpacking the File with UPX

Open a Command Prompt window and execute this command:

UPX

You see a UPX help message, as shown below:

Execute these commands to move to the directory containing the malware samples, and list the files there:

cd "\Users\Administrator\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_1L"
DIR

You see several malware samples, including Lab01-02.exe, as shown below:

Execute these commands to unpack the file, and list the files again:

UPX -d -o Lab01-02-unpacked.exe Lab01-02.exe
DIR

The unpacked file is much larger than the original file, as shown below:

Analyze the unpacked file with PEiD. It now is regognized as a "Microsoft Visual C++ 6.0" file, as shown below.

PMA 2.1: Two Bytes (5 pts)

On the right side of the PeID box, find the "First Bytes" value. The last 2 bytes are redacted in the image above. Those bytes are the flag, in this format: A1B2

Imports

Find the unpacked file's imports with Dependency Walker.

The imports from KERNEL32.DLL, ADVAPI32.DLL, and MSVCRT.DLL are uninformative generic functions used by almost every program.

However, the WININET.DLL imports are InternetOpenUrlA and InternetOpenA, as shown below. This indicates that the malware connects to a URL.

Strings

Find the strings in the unpacked file.

You should see the API names InternetOpenURLA and InternetOpenA, and the Command-and-Control URL http://www.malwareanalysisbook.com, as shown below.

These suggest that infected machines will connect to http://www.malwareanalysisbook.com. The name of the running service, MalService, is also visible.

PMA 2.2: Last String (5 pts)

The last string is redacted in the image above. That string is the flag.

PMA2.3: Packer Name (5 pts)

Find the packer used for sample Lab01-03.exe.

The flag is the primary packer name, which consists of three capital letters.

PMA2.4: Datestamp (5 pts)

Find the datestamp showing when sample Lab01-04.exe was compiled.

The flag is the date, in this format: 1999-01-31

Revised for WCIL 5-21-19