First Malware Analysis

Recently I began the process of looking for malware to start learning how to process things. Currently my skills are terrible, but I've got to start somewhere.

Found this email in my wife's hotmail as GMail would never let something like this arrive in my email. It was obvious to me it was malware as it was a “zip” file with what appears by the icon to be a Microsoft word document.

As we can clearly see Windows is not as easily fooled and properly labels it as an application. Simple Windows properties shows that it is an archive.

Using a universal extractor we obtained the following files

.text

.rdata

.data

Folder (/.rsrc)

Opening up .rdata in hex editors revels the following info

T.VirtualAlloc..©.GetCurrentProcess.¬.GetCurrentThread....CreateFileW.….GlobalAlloc.æ.EnumResourceLanguagesA..7.FindResourceExA.O.FreeResource..ö.GetModuleHandleA..9.GetStartupInfoA.X.GetTempFileNameA..Z.GetTempPathA..Œ.GlobalFree..ö.LoadResource....LockResource....MoveFileA. .SizeofResource..KERNEL32.dll..¨.DispatchMessageA..Õ.TranslateMessage..J.GetMessageA.é.UpdateWindow..¸.ShowWindow..4.RegisterClassExA..Ò.LoadCursorA.Ö.LoadIconA.•.DefWindowProcA.. .PostQuitMessage.Õ.EndPaint....GetClientRect...BeginPaint..g.CreateWindowExA.o.GetSystemMetrics....AdjustWindowRectEx....CallWindowProcW.-.CharNextA./.CharNextW.h.CreateWindowExW.–.DefWindowProcW..š.DestroyAcceleratorTable...DestroyIcon.ž.DestroyMenu. .DestroyWindow.Ï.EnableMenuItem..ì.EqualRect.î.ExitWindowsEx.ó.FindWindowW...GetClassInfoExW...GetCursorPos....GetDC...GetDesktopWindow..$.GetFocus..%.GetForegroundWindow.1.GetKeyState.U.GetParent.k.GetSubMenu..}.GetWindow.‚.GetWindowLongW..ˆ.GetWindowRect.©.IntersectRect.ª.InvalidateRect..µ.IsChild.Å.IsWindow..Í.KillTimer.Õ.LoadCursorW.Ù.LoadImageW..Þ.LoadMenuA.ã.LoadStringA.ä.LoadStringW.ó.MapWindowPoints.ÿ.MessageBoxW...MsgWaitForMultipleObjects...OffsetRect....PeekMessageA..).PtInRect..3.RegisterClassA..5.RegisterClassExW..L.ReleaseDC.N.RemoveMenu..c.SendMessageW..p.SetCursor.y.SetFocus..z.SetForegroundWindow.ž.SetTimer..¥.SetWindowLongW..§.SetWindowPos..¨.SetWindowRgn..Ä.SystemParametersInfoA.Å.SystemParametersInfoW.Ð.TrackPopupMenuEx..Ú.UnionRect...wsprintfA...wsprintfW...wvsprintfW..USER32.dll..ô.GetStockObject....LineTo..!.MoveToEx..F.Rectangle...CloseMetaFile.0.CreateDCW.E.CreateMetaFileW.N.CreateRectRgnIndirect.Í.DeleteDC..Ï.DeleteMetaFile..µ.GetDeviceCaps...LPtoDP..P.RestoreDC.W.SaveDC..{.SetMapMode....SetViewportOrgEx..“.SetWindowExtEx..”.SetWindowOrgEx..GDI32.dll.Y.RegOpenKeyA.ADVAPI32.dll..".Shell_NotifyIconA.SHELL32.dll...CoCreateInstance..%.CoGetClassObject..=.CoInitialize..R.CoRegisterClassObject.^.CoRevokeClassObject.f.CoTaskMemAlloc..g.CoTaskMemFree.h.CoTaskMemRealloc..k.CoUninitialize..z.CreateDataAdviseHolder..‚.CreateOleAdviseHolder.ù.OleLoadFromStream...OleRegEnumVerbs...OleRegGetMiscStatus...OleRegGetUserType...OleSaveToStream.H.WriteClassStm.ole32.dll.z.memcpy...._XcptFilter.%.__dllonexit.(.__getmainargs.:.__p__commode..?.__p__fmode..Q.__set_app_type..S.__setusermatherr.._._acmdln.m._adjust_fdiv..w._c_exit.z._cexit..‡._controlfp..›._except_handler3..¤._exit.Æ._ftol.ç._initterm.`._onexit.m._purecall.Ì._wcsnicmp..._wtoi.,.exit..A.free..t.malloc..Š.realloc.«.strtol..Ã.wcschr..Ä.wcscmp..Ð.wcsstr..msvcrt.dll

We can see the control triggers for what appears to be a Trojan remote control software. I had to break up the xml so that the blog will actually display the results.

Inside the folder, we see:

< ? xml version="1.0" encoding="UTF-8" standalone="yes"? >....    < assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0" >....       < trustInfo xmlns="urn:schemas-microsoft-com:asm.v3" >....         < security >....           < requestedPrivileges >< requestedExecutionLevel level="asInvoker" uiAccess="false"/ >< /requestedPrivileges >....         < /security >....       < /trustInfo >....    < /assembly >

This provides improved remote control over the computer

http://blogs.msdn.com/b/cjacks/archive/2009/10/15/using-the-uiaccess-attribute-of-requestedexecutionlevel-to-improve-applications-providing-remote-control-of-the-desktop.aspx

Compiled with

T.h.i.s. .i.n.s.t.a.l.l.a.t.i.o.n. .w.a.s. .b.u.i.l.t. .w.i.t.h. .I.n.n.o. .S.e.t.u.p..
http://www.jrsoftware.org/isinfo.php

It is officially declared as Trojan-Downloader.Win32.Kuluoz.D

http://telussecuritylabs.com/threats/show/TSL20131022-08