Malware Analysis - Part 2: Basic Static Analysis, Understanding Packed Malware (UPX)
﷽
Hello and welcome to Part 2 of our malware analysis journey! Today, I find myself with some extra time after work.
Fueled by my curiosity to delve deeper into the software understanding, I present the analysis findings from today's exploration.
We begin our exploration of malware analysis again with static analysis for other malware techniques,which is usually the first step in analyzing malware to gain a certain amount of insight into its function.
First, we can use file hashes to identify if it's malicious or not. We can take the Message-Digest Algorithm 5 (MD5) (a sort of fingerprint) to search for that hash online to see if the file has already been identified.
By analyzing the Portable Executable (PE) file, we were able to identify that the file is packed with UPX
| Obvious indicators section named UPX0, UPX1, UPX2 (section name UPX packed malware) |
Notice the relatively small number of imports and that the first section, UPX0, has a virtual size of 0x4000 but a raw data size of 0. UPX0 is the largest section, and it’s marked executable, so it’s probably where the original unpacked code belongs.
We need to use antivirus tools to confirm maliciousness. See if any files match existing antivirus signatures. we can upload the file to VirusTotal
This file around 2011 has 3 of 41 antivirus signatures. Today 2024, the detection has been updated to 57 / 72
Packed
Not much we have here, but we can learn some interesting things from what file UPX packed really is :
GetProcAddress : Retrieves the address of an exported function or variable within a loaded DLLVirtualProtect : Inject code into another process's memory space.- MSDN Win32 API reference: https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotect
- Stack Overflow discussion: https://stackoverflow.com/questions/66249579/can-virtualprotect-be-leveraged-for-performance
VirtualFree : Deallocate memory previously allocated using VirtualAlloc or another memory allocation function. In simpler terms, it frees up memory that your program is no longer using. It's crucial to call VirtualFree on memory you no longer need to avoid memory leaks and improve your program's performance.- MSDN Win32 API reference: https://learn.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualfree
CreateServiceA :
- MSDN CreateServiceA: https://learn.microsoft.com/en-us/windows/win32/api/winsvc/nf-winsvc-createservicea
- MSDN Service Control Manager: https://learn.microsoft.com/en-us/dotnet/framework/windows-services/introduction-to-windows-service-applications
InternetOpenA : initialize the internet communication functionality for your application.- MSDN InternetOpenA Docs: https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopena
Unpacked
| After unpacking, we were able to retrieve the original file size We can see a lot of import functions now, but the most interesting we found is InternetOpenUrlA |
InternetOpenUrlA: opens an Internet URL and retrieves its data. It's used for various web-related tasks like downloading files, fetching web pages, and processing online content within your application.- MSDN
InternetOpenUrlADocs: https://learn.microsoft.com/en-us/windows/win32/api/wininet/nf-wininet-internetopenurla
The imports from wininet.dll tell us that this code connects to the Internet (InternetOpen and InternetOpenURL), and the import from advapi32.dll (CreateService) tell us that the code creates a service.
We can’t be sure what this program is doing, but we’ve found some understanding of the import functions to help search
for host or network-based indicators. We will continue our analysis in the next part for further insights.
Thank you for your time, enjoy delving into the malware domain, and until we meet again for the next part!
This is a practical case for educational purposes only.
Comments
Post a Comment