Initial commit

ACKNOWLEDGEMENTS

@@ -0,0 +1,11 @@
+ACKNOWLEDGMENTS / AUTHORS OF MALWARE ANALYSIS
+
+Original Authors
+  * Branden Clark
+  * Austin Ralls
+  * Aaron Sedlacek
+
+Special thanks to
+  * The RPI CS Department for giving us this opportunity and letting us run with it
+  * Professor Bülent Yener for sponsoring such a course
+  * Our students who put up with us all semester

Labs/Lab_01/solution.md

@@ -0,0 +1,98 @@
+#### Malware Analysis - Fall 2015
+#### Lab 01 Solution
+
+##### Lab_01-1.malware
+
+
+1. 2009-05-14 10:12:41
+
+2. 
+    a. ShellExecuteExA - Can be used to run applications
+
+    b. Socket APIs - Make network connections
+
+    c. File API - read/modify files
+
+3. 
+    a. 60.248.52.95 - Potential network signature
+
+    b. http://www.ueopen.com/test.html - Potential network signature
+
+    c. cmd.exe - The malware could be trying to run shell commands
+
+    d. *(SY)# - Potential network signature, possible used for a remote shell prompt
+
+4. Connects to 60.248.52.95, offers up a remote shell, then deletes itself
+
+5. Process name. Ensures procmon data involves the sample
+
+6. Nothing particular, except for the command it runs to delete itself
+
+    `cmd.exe /c del $PATH > null`
+
+7. 
+    a. Connects to port 443 on 60.248.52.95
+
+    b. *(SY)# - Remote shell prompt
+
+8. The file's self deletion was a nuisance. This can be overcome by keeping a separate 
+   copy, or by NOP'ing the delete call
+
+9. To act as a backdoor by offering a remote shell to the attacker
+
+##### Lab_01-2.malware
+
+1. 02658bc9801f98dfdf167accf57f6a36
+
+2. 
+    a. CreateProcessA - Execute applications
+
+    b. WriteFile - Write to files
+
+    c. HttpOpenRequestA - Access websites
+
+3. 
+    a. wuauclt.exe - Windows update program, potential trojan or disguise
+
+    b. cmd /c - run shell commands
+
+    c. 69.25.50.10 - Potential network signature
+
+4. Nothing appears on screen. In the background it is attempting to connect to 
+   69.25.50.10, but fails. If it succeeds it offers a remote shell.
+
+5. Process name. Ensures procmon data involves the sample
+
+6. Runs wuauclt.exe
+
+7. Connects to 69.25.50.10. Remote pseudo-shell commands (putf, getf, /tasks/, exit)
+
+8. No, though more information could have been made available if 69.25.50.10 was up
+
+9. Acts as a backdoor, allowing remote file access and program execution.
+
+##### Lab_01-3.malware
+
+1. Yes, very few strings and imports. VirtualSize >> Size of Raw Data. Possibly UPX packed.
+
+2. No, UPX reports an error, "file is modified/hacked/protected; take care!!!"
+
+3. 
+    a. Mozilla/4.0 - Possible user agent
+
+    b. http://%s/%s/ - Format string for making URLs
+
+    c. www.practicalmalwareanalysis.com - Potential network signature
+
+4. Connects to website "http://\<url from resources\>/\<base64 local hostname\>/"
+
+5. No
+
+6. The URL and user agent
+
+7. The packing, I'm not sure what else the malware is doing besides connecting out.
+   This program will have to be unpacked manually.
+
+8. Besides reporting the hostname to the attacker, there's no way to tell without further
+   analysis.
+

Labs/Lab_02/solution.md

@@ -0,0 +1,64 @@
+#### Malware Analysis - Fall 2015
+#### Lab 02 Solution
+
+##### Lab_02-1.malware
+
+
+1. 
+    a. Main is at 0x004011A0
+
+    b. Main checks if there is internet connection, using http://reversing.rocks/ as a domain to check. If the test passes it runs a subroutine, otherwise it exits right away.
+
+        i. It uses a call to an import in the import table. It also uses an if in the form of test/jz. Finally it calls the subroutine or exit.
+
+        ii. "http://reversing.rocks/" Seems like an interesting string.
+
+2. 
+
+    a. InternetConnectA(hInternet, "reversing.rocks", 0x4D2, 0, 0, 3, 0, 0)
+
+        i.  (HINTERNET) hInternet => Handle from the InternetOpen
+            (LPCTSTR) lpszServerName => Server name = "reversing.rocks"
+            (INTERNET_PORT) nServerPort => Port = 1234
+            (LPCTSTR) lpszUsername => NULL
+            (LPCTSTR) lpszPassword => NULL
+            (DWORD) dwService => 3 => HTTP
+            (DWORD) dwFlags => 0
+            (DWORD_PTR) dwContext => NULL
+
+    b. It opens a connection and goes to reversing.rocks and calls another subroutine. When that is done, it closes the connection.
+
+        i. Makes several calls to import tables, and the subroutine. Also has an if to check that the connection was opened correctly.
+
+3. 
+
+    a. Many calls to imported functions. An if to check if the first file could be found, and a while that will go loop though all files.
+
+    b. FindFirstFileA, HttpOpenRequestA, HttpSendRequestExA, InternetWriteFile, FindNextFileA, HttpEndRequestA, InternetCloseHandle, FindClose
+
+    c. Sends files that match "\\*" through post
+
+4. The malware attempts to connect to the creator's site and then exfiltrate files from the local drive to his server. It then closes the connection and quits.
+
+##### Lab_02-2.malware
+
+1. 
+
+    a. AllocConsole, FindWindowA, ShowWindow, fopen, time, fputs, ctime, fclose
+
+        i. AllocConsole creates a console for the process, FindWindow finds a window for the process and returns its handle, ShowWindow shows a window, the other functions are more normal c functions.
+
+        ii. "\\WINDOWS\\lzwindowlz.av", "\nStarted logging:"
+2. 
+
+    a. GetAsyncKeyState, fopen, fseek, fread, fputc
+
+    b. There is a large switch with several cases
+
+3. The malware is a keylogger that then sends the log to the owner.
+
+    a. One possible signature is looking for calls to GetAsyncKeyState
+
+        i. This would be used by keyloggers to get the keypresses without needing to have an active window. Detecting this could help find keyloggers in general.
+
+    b. The sample creates lzwindowlz.av which it fills with key presses that it records. Special keys are replaced with brackets and their name. This is then emailed every 100 characters to the address specified. The file is cleared at this point.

Labs/Lab_03/solution.md

@@ -0,0 +1,94 @@
+#### Malware Analysis - Fall 2015
+#### Lab 03 Solution
+
+##### Lab_03-1.malware
+
+1. Yes, there is a dll, it can be extracted using FileAlyzer or Resource Hacker.
+
+2. 
+   a. LoadResource - Load the dll info from the resources
+
+   c. WriteFile – Allows malware to log to file or write more malware to a file
+
+   d. IsDebuggerPresent – Malware could act differently if it detects a debugger is being used 
+to analyze it
+
+3. 
+   a. "http://rpis.ec/" - Potential network signature
+
+   b. "regsvr32 /s C:\Windows\atidrv.dll" - Potential persistence / hiding place
+
+   c. "C:\Users\IEUser\Downloads\BHOinCPP_src\BHOinCPP\Release\launch.pdb" - BHOinCPP is a project from CodeProject
+
+4. It unpacks and creates a dll, and then registers that dll as with regsvr
+   ```
+   CLSID\\{3543619C-D563-43f7-95EA-4DA7E1CC396A}\\InProcServer3
+   Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects\\{3543619C-D563-43f7-95EA-4DA7E1CC396A}
+   CodeProject Example BHO
+   ```
+
+5. {3543619C-D563-43f7-95EA-4DA7E1CC396A}
+
+6. IWebBrowser2
+
+7. 0xa4 = put_Visible - Show the window 
+
+   0x2c = Navigate - Go to page in browser
+
+   This combination displays one of the RPISEC URLs found in the adware
+
+##### Lab_03-2.malware
+
+1. MD5 is bf4f5b4ff7ed9c7275496c07f9836028. VirusTotal reports that it created and opened a file in the C drive, then copied it to the user's directory as java.exe.
+    It also says it made a DNS request to us.t28.net
+
+2. 
+    a. GetLogicalDrives – Gets bitmask representing all available drives. Could be used for environmental keying or host identification
+
+    b. gethostbyname - Could be used to resolve an attackers host for communication
+
+    c. GetOEMCP - Could be checking for VM
+
+3. 
+    a. 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -  Registry key that auto runs when the user logs in, possible persistence mechanism
+
+    b. 'configserver)/r(ndr29(xhhoxxx2)00xAAAAAA....' - Could be an encrypted configuration file
+
+    c. '\java.exe' - The file it might make for persistence.
+
+4. It sets the key in 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run' to 'C:\DOCUME~1\User\java.exe', which is a copy of itself that it made. Some host-based signatures are that its in documents and settings for the user and copies under 'java.exe'.
+
+5. 
+   Lists processes: 0x0402310
+
+   Remote Shell: 0x0402490 and 0x0402660 to use
+
+   Upload File: 00402210
+
+6. 
+   List processes: The command id is 0x7
+
+   Remote Shell: The command id is 0x9 and 0x10
+
+   Upload File: The command id is 0x6
+
+7. 
+   List processes: It sends the process name (xored with 0x55) and process id back to the control server
+
+   Remote Shell: 0x9 opens cmd.exe, 0x10 sends a command to it (xored with 0x55) and then reads from the named pipe and sends the result back (xored with 0x55)
+
+   Upload File: It maps the file into memory, xors it with 0x55, and sends it to the control server
+
+8. 
+   Lists processes: CreateToolhelp32Snapshot, Process32First, Process32Next
+
+   Remote Shell: CreateProcessA, PeekNamedPipe, WriteFile
+
+   Upload File: CreateFileA, CreateFileMappingA, MapViewOfFile
+
+9. 
+   0x2 - List contents of directory
+
+   0x5 - Download a file to infected computer
+
+   0x8 - Terminate process by PID

Labs/Lab_04/solution.md

@@ -0,0 +1,42 @@
+#### Malware Analysis - Fall 2015
+#### Lab 04 Solution
+
+##### Lab_04-1.malware
+
+This sample was first statically analyzed with IDA to determine what calls to look at. It was then run in a VM with no ASLR with break points at the interesting calls, and ran with these break points to see what happened.
+
+1. Its calling KERNEL32!GetProcAddress for VirtualAlloc
+2. Its calling VirtualAlloc to allocate 0xB000 bytes at 0x0C000000 as PAGE_EXECUTE_READWRITE
+3. 0x401360 calls KERNEL32!GetProcAddress, 0x40137e also calls KERNEL32!GetProcAddress, but with advapi32.dll, and 0x401388 uses user32.dll.
+4. GetModuleFileNameA,ExitProcess,CopyFileA,GetWindowsDirectoryA,LoadLibraryA,RegCreateKeyA,RegSetKeyValueA,RegCloseKey,MessageBoxA,
+5. I set break points on the functions calling getProcAddress and looked at the arguments that were being passed.
+6. Copies itself to C:\\WINDOWS\\virus.exe and then sets a registry key to auto run itself:
+   ```C
+   RegCreateKeyA("Software\\Microsoft\\Windows\\CurrentVersion\\Run");
+   RegSetKeyValueA("viri","C:\\WINDOWS\\virus.exe");
+   ```
+   
+   It then creates a message box saying "Infected!". After that it exits.
+
+##### Lab_04-2.malware
+
+This sample was unpacked with UPX when there was no aslr enabled, otherwise it failed to run after unpacked. Once unpacked, I statically analyzed it and recognized the structure of a few loops preforming xor and comparison operations, as well as a nibble swap loop. To reverse this I wrote a small python script.
+
+1. 0x004011BC For the win function
+2. For each character that you enter it flips the nibbles. So 0x41 becomes 0x14 and so on.
+3. The encrypted data is at 0x0040303C, and the string xored with it to decrypt it is at 0x00403018.
+4. flag{Pra1se_th3_Sun!}
+
+   Script:
+   ```Python
+   f = "{ga1F_1auTca_eht_t0n_s!_s1hT}galf"
+   data = "1DA17747F15A16776663359418E35B816A23D67C88000000"
+   data = data.decode('hex')
+   flag = ""
+
+   for i,c in enumerate(f):
+       nc=ord(data[i%21])^ord(c)
+       flag+=chr(((nc&0xf)<<4)+(nc>>4))
+
+   print flag
+   ```

Labs/Lab_05/solution.md

@@ -0,0 +1,53 @@
+#### Malware Analysis - Fall 2015
+#### Lab 05 Solution
+
+##### Lab_05-1.malware
+
+1. It drops a file from its resource section (RC_DATA "DROP") into "C:\Program Files\Google\Update\GoogleUpdate.exe"
+
+2. By replacincg "C:\Program Files\Google\Update\GoogleUpdate.exe" the malware is run every time Google Updater is triggered.
+   This is a great host-based signature because we can check the validity of this file.
+
+3. It uses the mutex 'WODUDE'
+
+4. It hides the console window
+
+   It replaces a "trusted" file/program
+
+5. SetWindowsHookExW - Enables a callback function on keypresses
+
+   SetWinEventHook - Enables a callback function on window focus change
+
+6. WH_KEYBOARD_LL, EVENT_SYSTEM_FOREGROUND, WINEVENT_SKIPOWNPROCESS|WINEVENT_OUTOFCONTEXT
+
+7. It writes keylogged data to a file in the current directory, in this case "C:\Program Files\Google\Update\\\<hostname\>"
+
+##### Lab_05-2.malware
+
+1. This malware downloads the file at "http://malcode.rpis.ec/update_defender" and uses it to replace the file at 
+   "C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe".  If that fails, it will replace that file 
+   with the DROP resource
+
+2. Similar to Lab_05-1.malware, this overwrites an update service, this time for Firefox. We can verify this file to
+   confirm presence of the malware
+
+3. A second mutex is required so that only one enumeration of child windows is done at a time. The first enumeration to 
+   run will grab the mutex, and the next enumerations will have to wait for this mutex to be released
+
+4. Sends an Event/Message to a window. This can be used for updates or triggers, e.g. mouse, keyboard
+
+5.  0xD2 - EM_GETPASSWORDCHAR - gets the character that an edit control message shows when a user is typing a password 
+                                instead of showing the password
+
+    0xCC - EM_SETPASSWORDCHAR - sets the character that an edit control message shows when a user is typing a password 
+                                instead of showing the password.  In this case, the malware sends a parameter of 0 which
+                                means the control message will show the password plainly
+
+    0xC4 - EM_GETLINE - gets the line of text specified in an edit control message
+
+6. This sample looks for password boxes in foreground windows. Once it finds one it will remove the password mask
+   using EM_SETPASSWORDCHAR, steal the password with EM_GETLINE, and then reset the password mask. This differs from the
+   last sample which hooked keyboard events to log all keystrokes. This sample specifically targets password fields
+
+7. The malware writes all the data it collects into a file in the current directory,
+   so it will be in "C:\Program Files\Mozilla Maintenance Service\\\<hostname\>"