Student in charge: Phan Van Quy

- Malware Analysis Final Assessment -

______________________________________________
Understanding Malware Functionality and Behaviour - A
Comprehensive Report on Disassembly Tools and
Applications (using PEStudio, Detect It Easy, and Procmon)

I - Introduction:

Malware analysis is a critical facet of cybersecurity, demanding sophisticated tools to dissect

and understand malicious software. This report delves into the nuanced realm of
disassembly tools, with a specific focus on PEStudio, Detect It Easy (DiE), and Procmon.
These tools are integral to deciphering the intricacies of malware, enabling analysts to
unravel the code, behaviors, and potential threats embedded within malicious executables.

II - Disassembly Tools Used:

- PEStudio: A Versatile PE File Analyzer

PEStudio emerges as a versatile disassembly tool tailored for the analysis of Windows
executable files. Its capabilities extend to scrutinizing Portable Executable (PE) files,
providing a comprehensive array of insights, including imports, exports, sections, and
resources. This tool proves invaluable in the static analysis phase, allowing analysts to
identify key indicators of malicious activity before execution.

- Detect It Easy (DiE): File Signature Analysis Unveiled

Detect It Easy is a lightweight yet potent tool designed for file signature analysis. By
scrutinizing file headers and structures, DiE aids analysts in determining file types and
characteristics. This tool is particularly adept at identifying packed or obfuscated binaries, a
crucial aspect of malware analysis aimed at uncovering evasion techniques.

- Procmon: Dynamic Analysis Unleashed

Procmon, or Process Monitor, provides a dynamic analysis platform, allowing analysts to

monitor and log real-time system activity. It offers a granular view of processes, file system
activities, registry changes, and network connections. Procmon is instrumental in
understanding the live behavior of malware, aiding in the identification of malicious
processes and potential mitigation strategies.

III - Why Choose These Tools Over Others:

Student in charge: Phan Van Quy

The selection of PEStudio, Detect It Easy, and Procmon over alternative tools is grounded in
their unique strengths and complementary functionalities. PEStudio's robust analysis of PE
files offers a detailed static perspective, laying the foundation for subsequent analysis
phases. Detect It Easy's specialization in file signature analysis provides crucial insights into
the presence of packed or obfuscated code, contributing to a more nuanced understanding
of evasion techniques. Finally, Procmon's real-time monitoring capabilities enhance dynamic
analysis, allowing analysts to witness and interpret the actual behavior of malware within a
controlled environment.

IV - Utilising tools functions with Lab 3-1 & 3-2 application practice:

Application overview:

-> In lab 3-1, students typically use PEStudio to analyze a malware sample. The tool assists
in identifying suspicious or malicious indicators, including abnormal imports, code sections,
and resource allocations. Analysts can leverage PEStudio to understand the potential impact
of the malware on the system.

-> In lab 3-2, students commonly use Detect It Easy to uncover the file signatures of different
malware samples. DiE helps analysts recognize the type of packer or obfuscation used,
providing valuable insights into the malware's evasion techniques. This information is crucial
for developing effective countermeasures.

-> Both lab exercises 3-1 and 3-2 involve the use of Procmon to perform dynamic analysis
on malware samples. Analysts can observe the behavior of the malware in a controlled
environment, helping to understand its impact on the system and potential mitigation
strategies.

Lab 3-1: Analyze the malware found in the file Lab03-1.exe using basic
dynamic analysis tools.

In need for accelerate the initial assesment, Pestudio is used to analyse the executable file.

Question 1: What are this malware’s imports and string?

-> The malware appears to be a packed sample and is executable (Lab03-1.exe).

There is only one import called ExitProcess:
Student in charge: Phan Van Quy

For the strings, they are mostly clear but unreadable:

Student in charge: Phan Van Quy

Question 2: What are the malware’s host-based indicator?

-> The malware creates a synchronization primitive called a "mutex" (mutual exclusion)
named "WinVMX32." A mutex is often used by malware to ensure that only one instance of
itself is running on the system at any given time.

-> The malware copies itself to a specific location on the host system: ‘C:\Windows\
System32\vmx32to64.exe’. This is the file path where the malware duplicates its executable.
Student in charge: Phan Van Quy

-> The malware configures itself to run automatically when the system starts up. It achieves
this by making changes in the Windows Registry, a centralized database that stores
configuration settings for the Windows operating system.

-> It creates a registry key at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\

VideoDriver. This registry key is set to the location where the malware has copied itself (C:\
Windows\System32\vmx32to64.exe).

-> As a result, when the system starts, the malware will be executed automatically because
it has added an entry in the registry indicating that it should run on startup.

Question 3: Are there any useful network-based signatures for this malware? if
so, what are they?

-> The malware establishes communication with a remote server

(www.practicalmalwareanalysis.com), sends a 256-byte packet at regular intervals
(beaconing), and the content of this packet appears random, possibly for the purpose of
making it more challenging to analyze or detect the malicious activity.

Lab 3-2: Analyze the malware found in the file Lab03-02.dll using basic
dynamic analysis tools.

Question 1: How can you get this malware to install itself?

-> Use rundll32.exe with rundll32.exe Lab03-02.dll,installA to run the malware's exported
installA function in order to install it as a service.
Student in charge: Phan Van Quy

Question 2: How would you get this malware to run after installation?

-> After the malware has been installed, we can observe the addition of a new service called
IPRIP registry. We can either run it through net utility or SC Tool:
- “net start IPRIP”
- “sc start IPRIP”

Question 3: How can you find the process under which this malware is
running?

-> Determine which process is executing the service by using Process Explorer.
We can click on Find in Process Explorer, enter the name of the DLL, and obtain the details
of the malware's operating system.

Question 4: Which filters could you set in order to use procmon to glean
information?

-> You can use Process Explorer to find the PID and then use Procmon to filter on it.
Student in charge: Phan Van Quy

Question 5: What are the malware’s host-based indicators?

-> The malware installs a service called IPRIP, displays name of Intranet Network
Awareness (INA+) along with the description “Depends INA+, Collects and stores network
configuration and location information , and notifies applications when this information
changes.”

It writes to HKLM\SYSTEM\ControlSet001\Services\IPRIP\Parameters\ServiceDll:
%CurrentDirectory%\Lab03–02.dll in the registry for persistence.

Renaming Lab03-02.dll to something else, like malware.dll, causes malware.dll to be written

into the registry key rather than Lab03-02.dll.

Question 6: Are there any useful network-based signatures for this malware?

-> The malware resolves the domain name practicalmalwareanalysis.com and establishes
an HTTP-like connection with that host via port 80.
It uses the User-Agent %ComputerName% and makes a GET request for serve.html.
Microsoft Windows XP 6.11.
Student in charge: Phan Van Quy

V - Conclusion:

In conclusion, the fusion of PEStudio, Detect It Easy, and Procmon forms a potent
disassembly toolkit, fostering a holistic approach to malware analysis. PEStudio excels in
static analysis, identifying threats based on file attributes, while Detect It Easy unveils file
signatures, exposing packing and obfuscation techniques. Procmon facilitates dynamic
analysis, enabling real-time observation of malware behavior. This synergy equips
cybersecurity professionals with a robust skill set, honed through hands-on experience in lab
exercises 3-1 and 3-2. This integrated approach enhances threat identification accuracy and
provides a nuanced understanding of modern malware tactics, strengthening overall
cybersecurity practices.