Part 2: Analysis and reverse engineering of a malicious DLL

Scenario and goal

Your friend received an email with an attachment and proceeded to open the email. Without being careful, your friend opened the attachment and is now concerned that the system may be infected.

Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses.

Environment and tools

Analyze the file “malsample.dll” on a Windows XP virtual machine. Extract it from “malsample.7z” with the archive password ‘infected’. Which tools you use is entirely up to you. In malware analysis there is rarely one “right” path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Analysis tasks

1. Your friend receives the file in an email attachment on their windows XP machine and accidentally double clicks the file. Is their system infected? If yes why/how? If no, why not? Explain and support your answer with evidence from dynamic analysis.

2. Perform a basic static analysis of the malware sample and document your findings. What do the imports and exports tell you about the sample? Is the sample packed? Can you observe anything suspicious section-wise?

3. Analyse the sample dynamically and monitor its activities on the system. Outline the steps taken to execute the sample for analysis. What changes do you observe on the host? For example, is anything dropped, executed or deleted? Any other changes to the host observed? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:\). Support your claims with documentary evidence.

4. Under which process is the malicious DLL running? What is the process ID of this process? Document your approach and show how you obtained this information.

5. Describe how you would setup a network analysis environment. Does the malware exhibit any network-based behaviours? Analyse and document any observable network activity in an isolated environment. How does this malware behave network-wise?

6. Reverse engineer the sample with IDA/IDA pro. (a) How many functions are exported by the DLL? (b) What are the addresses of the functions that the DLL exports? (c) How many functions call the kernel32 API LoadLibrary? (d) How many times is the kernel32 API Sleep() called in the DLL? (support your answers with documentary evidence, e.g., screenshots).

7. Navigate to the ServiceMain function. (a) Show the graph view of the function (b) The main subroutine (of the ServiceMain function) jumps to a location where the code calls the kernel32 API Sleep() right after the JZ assembly instruction. What is the value of the parameter used by this Sleep() call?

Presentation: organization, readability, references etc.