DADA week 3 and lab (Malware Defenses)

Date: 2/4/17

What We Learned

Craig introduced ways that attackers would try to locate and catch victims, such as looking at popular Google Searches and targeting those. The first step in successfully “producing” malware is distributing it as far and wide as possible. Social engineering through deception and/or exploiting lack of knowledge. Once it’s on the disk/drive, it has to stay there, and this is done by having similar names as standard OS files or having signed binaries. Rootkits and Bootkits hide from the user so they can’t find the source of the malware.

Malware Defense

There are various ways to keep malware from getting in, with many layers that go on top of each other. Anti-Malware is the last layer of defense, which is on the disk, with the first layer being the Network Firewall and Network Intrusion Prevention. In my opinion, the first layer is your mind. Learning the warning signs of attempted malware intrusion and avoiding/preventing them from attacking are the cheapest and easiest way to prevent infection.



Yara is a pattern matching based malware signature scanner that allows users to create their own malware signatures to specific malware on a machine. It’s much more simple than most programming languages but is powerful enough to provide robust searches with simple syntax.

Good yara signatures should capture unusual commonalities between malware groups without targeting normal operating system files. We created signatures then tested them on our virtual machine’s system32 folder.

Automated analysis and signatures are almost the entirety of signatures used nowadays, but the “best” are often handmade. A few different ways they are now making signatures is using machine learning to make better rules, as well as looking more at memory for signatures. It is now more important than ever to automate signature creation because of the sheer number of unique malware binaries. We were shown a graph that indicated that there were up to 300 million unique binaries.

Yara Activity

We had to create some YARA rules for the samples that Craig had us analyze.

My first rule was:

rule Sytro{ 
  all of them 


rule CVE{ 
  all of them

I just used the yara editor’s inspection functionality to find strings, but for sample 2 I had to use FileInsight because the files consisted of javascript that the editor couldn’t display in a readable fashion. I couldn’t find the CLASSID Craig gave us until I used FileInsight, which showed that it was used in the script that also contained DownloaderActiveX1. In sample group 1, a rule Craig used had the string “Jenna Jam”. Google search for this string gives interesting results, not malware related.


rule domai{ 
  any of them 

This was much harder to do since the files were so hard to read with FileInsight and the yara editor, on top of there being so many lines of code for each one.

Cuckoo Tool

This tool contains a lot of previously seen functionality. It can see files created, deleted and downloaded, analyzes memory dumps of processes, and can trace network traffic.

Cuckoo Lab

The hash I looked at was 4844fd851088… I analyzed it as if it was malware until I found out it was not indeed malware. I guess I should’ve searched up the hash before writing. After my analysis of it I will analyze a malicious file.

Delphi was the obvious choice here, there weren’t a lot of strings to look at, so I had to pick what worked.


In the lecture, we learned that Delphi is a programming language commonly used to write malware. Whenever the string “Delphi” appears, something malware related is sure to follow, so it would be an obvious target for a yara rule.

Looking through the CSV, we can see that the first thing that happens is that bad tries to open a registry in Software\Borland\Locales, and Software\Borland\Delphi\Locales. Both of these fail, most likely because those keys don’t exist yet. It also loads a few libraries such as uxtheme.dll,user32.dll, ntdll and ADVAPI32.dll. uxtheme.dll is “a system wide hook to intercept paint calls and injects skin data”, meaning it allows Windows to apply visual themes/styles to applications. It seems that bad is trying to create a hook, though its purpose is not clear. A function named ThemeInitApiHook is called to “give alternate implementations for functions” that user32.dll uses. user32.dll is an essential windows .dll that implements standard features such as the GUI and general user interface.

One notable thing that happened was that bad tried to run something named LADS. On the command line, it outputted copyright info pointing to Frank Heyne Software, at, a German hosted website. Below this info said “This program lists files with alternate data streams <ADS>”.  Alternate data streams are used to locate a specific file by author or title. While ADS is sometimes exploited for malicious purposes, it is not actually malware. I only realized this after writing all of this.

Analysis (hash: a1874f714f7a15399b9fae968180b303)

Yara used:

rule lab{
  all of them }

This signature gives a false flag for 4844, which is apparently written with Delphi or something.

Running with this hash creates 3 CSV’s. The largest one’s process name is cmd.exe. First notable thing I see is a bunch of failed NtOpenKey attempts for various registries in the folder \registrymachine\software\policies\microsoftwindows\safer\codeidentifiers\26144\. Following that are a lot more NtQueryValueKey’s and more opening and closing. It fails to open half of the attempted registries, which result in an immediate NtClose.

After tampering with the registry it creates a file named Deleteme.bat in C:Users\Admin\AppData\Local\Temp\Deleteme.bat. This file was set to auto delete, obviously, but in the same directory a few other files were added. They were ntshruis2.dll, prints.exe, and qinput.png.

Qinput.png is a picture of a QQ login prompt. QQ is a popular Chinese messaging app/program. Prints.exe had its own CSV made, so lets look at that.


Prints.exe loads kernel32.dll, advapi32.dll, oleaut32.dll, and user32.dll, and ntshruis2.dll. Using these libraries, it calls a ton of functions such as FindFirstFilA, CreateFileA, and GetCommandlineA. Presumably prints.exe is reading and writing to a file somewhere, but it is not said explicitly in the CSV. At the end of the CSV, I can see that it successfully creates a registry key in Software\Microsoft\Windows\CurrentVersion\Run. This new value is named WinSysQQ, with the buffer referencing prints.exe in the Temp directory. It also tries to open a registry key in Software\Borland \Locales, which it fails to do.

Google says WinSysQQ is a pop up that appears on Windows to promote ads and other junk. Looking back in the CSV I can now see a function that stands out, MessageBoxA. We know that user32.dll controls the Windows GUI, and this malware is using it to create unwanted pop ups on the system. Winsys is a name that sounds legitimate, but having QQ at the end is just a little extra the programmers added to reference the Chinese app.

The 3rd CSV created shows the bad process creating the 3 new files in Temp. It tries to make them hidden, but I think the VM by default displays all hidden files.

Reverting to my initial state and re-running analyzer with Flypaper.exe up this time allows me to read Deleteme.bat’s code.


It seems that this is a simple batch file that is supposed to remove the source of this malware.


The point of all these exercises was to learn about malware threats and determine if they really are threats, to classify and isolate the malicious code, and prevent future attacks. Cuckoo allows us to identify what type of threat is happening while allowing us to classify the malware. Yara signatures and general analysis we did showed how to identify malicious code.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s