This post is part of the series of Practical Malware Analysis Exercises.
There were 18 scanners that detected this sample.
Lab01-02.exe
- MD5:
8363436878404da0ae3e46991e355b83 - SHA256:
1c876a332d7dd8da331cb8eee7ab7bf32752834d4b2b54eaa362674a2a48f64a61 - File name: Lab01-02.exe
- Detection ratio: 18 / 47
- Analysis date: 2013-11-13 04:43:16 UTC ( 2 hours, 21 minutes ago )
Both VirusTotal and PEiD identified this file as being packed with UPX. Also, the sections were named UPX0, UPX1, and UPX2. Was able to unpack using the UPX command line utility.
VirusTotal: UPX
PEiD: UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo
upx -d -o Lab01-02_unpacked.exe Lab01-02.exe
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2013
UPX 3.09w Markus Oberhumer, Laszlo Molnar & John Reiser Feb 18th 2013
File size Ratio Format Name
-------------------- ------ ----------- -----------
16384 <- 3072 18.75% win32/pe Lab01-02_unpacked.exe
Unpacked 1 file.Creates threads, manipulates services, and communicates over the network, likely HTTP. Something to do with time. Checks for an update or command over the network? Starts a service?
KERNEL32.DLL
- SystemTimeToFileTime
- GetModuleFileNameA
- CreateMutexA
- CreateThread
- SetWaitableTimer
ADVAPI32.DLL
- CreateServiceA
- StartServiceCtrlDispatcherA
- OpenSCManagerA
WININET.DLL
- InternetOpenUrlA
- InternetOpenA
- Services or mutexes named
MalService,"Malservice," orHGL345 - Network communication with
http://www.malwareanalysisbook.com - HTTP requests with user-agent
Internet Explorer 8.0 - The following strings:
000000003010 000000403010 0 MalService
00000000301C 00000040301C 0 Malservice
000000003028 000000403028 0 HGL345
000000003030 000000403030 0 http://www.malwareanalysisbook.com
000000003054 000000403054 0 Internet Explorer 8.0