PMA 102c: Unpacking (15 pts + 10 extra)

What you need:

Malware Samples

If you are using the machine from this project:
PMA 41: Windows 10 or 11 with Analysis Tools
The malware samples are on your desktop.

Otherwise, download the malware from:

https://github.com/mikesiko/PracticalMalwareAnalysis-Labs

This project uses files in this folder:

Practical Malware Analysis Labs\BinaryCollection\Chapter_1L

Examining the Strings in Lab01-02.exe with BinText

If you don't have BinText, get it here:

https://www.aldeid.com/wiki/BinText,

Examine the strings in Lab01-02.exe with BinText.

There are only a few strings, and they call only a few ordinary Windows API commands, as shown below.

These strings aren't from the malware--they are from the UPX packer, as we will show below.

Examining the File with PEiD

Run PEiD on the file. It shows that the file is packed with UPX, as shown in the "EP Section" below.

Examining the File with PEview

Run PEview on the file. The file has sections labeled UPX0, UPX1, and UPX2, as shown below.

These are section names produced by the UPX packer.

Navigate to the Import Directory Table, as shown below. This file only imports four libraries.

Examining the File with CFF Explorer

Open the file in CFF Explorer, which is included in the FLARE-VM. If you need to download it, get it here:

https://ntcore.com/?page_id=388

In the left pane, click "Import Directory". In the right pane, click KERNEL32.dll.

As shown below, this file only uses six functions from KERNEL32.DLL, and even fewer from the other imports.

Unpacking the File with UPX

If you are using the FLARE-VM, you already have UPX. If you don't have it, do this: Open a Command Prompt window and execute this command:
UPX
You see a UPX help message, as shown below:

Execute these commands (replacing YourName with your username) to move to the directory containing the malware samples, and list the files there.

Use tab completion to speed up the process:

cd "\Users\YourName\Desktop\Malware\Practical Malware Analysis Labs\BinaryCollection\Chapter_1L"

DIR

You see several malware samples, including Lab01-02.exe, as shown below:

Execute these commands to unpack the file, and list the files again:

UPX -d -o Lab01-02-unpacked.exe Lab01-02.exe

DIR

The unpacked file is much larger than the original file, as shown below:

Analyze the unpacked file with PEiD. It now is recognized as a "Microsoft Visual C++ 6.0" file, as shown below.

Flag PMA 102.1: Entrypoint (10 pts)

On the left side of the PeID box, find the Entrypoint value, which is covered by a green box in the image below. That's the flag.

Examining the Unpacked File with PEview

Run PEview on the unpacked file.

Now the file has the usual sections labeled .text, .rdata, and .data, as shown below.

Examining the Unpacked File with CFF Explorer

Find the unpacked file's imports with CFF Explorer.

The imports from KERNEL32.DLL, ADVAPI32.DLL, and MSVCRT.DLL are uninformative generic functions used by almost every program.

However, the WININET.DLL imports are InternetOpenUrlA and InternetOpenA, as shown below. This indicates that the malware connects to a URL.

Strings

Find the strings in the unpacked file.

You should see the API names InternetOpenURLA and InternetOpenA, and the Command-and-Control URL http://www.malwareanalysisbook.com, as shown below.

These suggest that infected machines will connect to http://www.malwareanalysisbook.com. The name of the running service, MalService, is also visible.

Flag PMA 102.2: Last String (5 pts)

The last string is covered by a green box in the image below. That's the flag.

Flag PMA 102.3: Packer (10 pts)

Find the packer used for sample Lab01-03.exe.

Ignore everything except the primary packer name, which consists of three capital letters. That's the flag.

Ported to Google Cloud 9-5-19
Posted 8-21-18
Chal 3.3 added 8-28-18
Chal 3.3 number fixed 9-11-18
Format updated 8-18-20
Malware sample link added, CFF Explorer added 6-13-2021
Updated to refer to the "Win 10 with Tools" machine 7-14-2021