This is a walkthrough of the Lab 11-1 from the book Practical Malware Analysis. The sample under analysis, Lab11-01.exe
, is a credential stealer that performs GINA interception.
The samples for this lab can be downloaded from here.
Let’s start!
I’m going to perform some basic static analysis first.
Checking with PEiD I see that this sample is not packed - PE sections looks good too (no strange names, virtual and raw sizes are similar).
Lab11-01.exe
MD5 | a9c55bb87a7c5c3c923c4fa12940e719 |
SHA1 | d971656c6c605a6e2130ab83a38420e655428f94 |
SHA256 | 57d8d248a8741176348b5d12dcf29f34c8f48ede0ca13c30d12e5ba0384056d7 |
GinaDLL
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
msgina32.dll
MSGina.dll
UN %s DM %s PW %s OLD %s
msutil32.sys
Looking at the strings I can guess that this malware performs GINA interception (GINA stands for Graphical Identification and Authentication). This is a technique used to steal users credentials: the malware adds its own DLL (probably msgina32.dll
) into those loaded during the Windows logon process - such DLLs are listed (if any) in the registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
and will be loaded at logon in addition to the original DLL MSGina.dll
.
The string UN %s DM %s PW %s OLD %s
looks like a formatted string so I expect that this malware will be printing something out.
The last one is the name of a file (msutil32.sys
): don’t know what it is yet, but I will soon do.
The malware imports:
ADVAPI32.DLL
, RegCreateKeyEx
and RegSetValueEx
KERNEL32.DLL
, FindResource
So apparently it will create registry key/value, and this is coherent with what I was expecting from the strings analysis.
The FindResource
is a hint that this malicious program may contain some embedded resource. Let’s look at the PE structure then.
There is a .rsrc
section that contains a resource named TGAD
: this resource is an embedded executable as it contains the MZ signature and the !This program cannot be run in DOS mode.
string. So the sample is probably a dropper. I can dump the embedded PE file for further analysis using the Resource Hacker tool.
Lab11-01-embedded.dll
This PE file is a DLL: the Characteristics
header has the value IMAGE_FILE_DLL
set.
It is not packed.
MD5 | 7ce4f799946f0fa44e5b2b5e6a702f27 |
SHA1 | 951fb5b80702d02e5c327b56cc709ee3ad5523d2 |
SHA256 | f8a4f61bccd5bab1cad0ab9e57f6f3092a8bd4dd0adfcd4853e89ba96afc93f9 |
The strings from this PE file are included in those I already analyzed from the parent executable.
The DLL exports many functions from the original msgina.dll
: this is expected if this malware performs GINA interception.
A couple of interesting exports are WlxLoggedOnSAS
and WlxLoggedOutSAS
, since these functions are good points to perform malicious behavior.
Let’s continue analysis with IDA Pro now!
At the beginning of the _main
function (0x40120F
) the malware calls sub_401080
. This function extracts the resource named TGAD
from the PE file.
Reading the code block between 0x40114A
and 0x4011A2
, the program writes the embedded resource to a file named msgina32.dll
, which is placed in the same directory as the executable.
So I will rename this function to Sub_ExtractDll
.
At 0x401288
the program calls the function sub_401000
. This function creates the registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
and then sets the value GinaDLL
; the value is set with the fullpath and name of the dropped msgina32.dll
.
This way the malicious DLL will be loaded during the winlogon process (GINA interception).
I will rename this function to Sub_InstallGinaInterception
.
The _DLLMain
function loads the library MSGina.dll
(at 0x100001099
) from the Windows system directory (at 0x1000107E
). The handle to the original msgina.dll
is placed in a global variable named hModule
(at 0x100010A1
).
Most of the exported functions simply call the same function from the original msgina.dll
.
For instance, this is the WlxLoggedOnSAS
function:
10001350 push offset aWlxloggedonsas ; "WlxLoggedOnSAS"
10001355 call sub_10001000
1000135A jmp
The function sub_10001000
takes one parameter (the name of the function); its code gets the address of that function from the original msgina.dll
module (the handle to such module is the global variable hModule
set during _DLLMain
); then it returns such address.
After the call, the malicious WlxLoggedOnSAS
jumps to the address returned by sub_10001000
, i.e. to the same WlxLoggedOnSAS
function in the original DLL. It’s interesting to note that it performs a jump and not a call (so a new stack frame is not set).
The exported function WlxLoggedOutSAS
has some extra behavior in addition to calling the original WlxLoggedOutSAS
(at 0x100014E0
).
Note: How can I identify which is the modified function among all the exported functions? One option is just by guessing: functions
WlxLoggedOnSAS
andWlxLoggedOutSAS
are called when the user logs on and logs out, so they are good point to insert malicious code for stealing credentials. I can also try to search for the stringUN %s DM %s PW %s OLD %s
.
At offset 0x10001503
the DLL calls the function sub_10001570
. This function writes stolen information (along with a timestamp) into a file named msutil32.sys
(at 0x1000159D
). So this file is actually a log file and not a driver as its extension was suggesting.
I will rename this function to Sub_LogCredential
.
After performing basic dynamic analysis (with the tools RegShot, Procmon, Process Explorer, Autoruns) and rebooting the system, I will log on, log out and then log on again. Here is the content of the file %SystemRoot%\System32\msutil32.sys
:
02/14/19 21:23:08 - UN remuser DM REMWINDOWSXP PW password OLD (null)
So to wrap up and answer the questions:
1) What does the malware drop to disk?
The malware drops a DLL which is embedded in the PE resource section named TGAD
.
2) How does the malware achieve persistence?
The malware installs msgina32.dll
as a GINA DLL by adding it to the registry key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
.
3) How does the malware steal user credentials?
The malware steals Windows user credentials by performing GINA interception during the logon process.
4) What does the malware do with stolen credentials?
The malware writes the stolen credential to the file %SystemRoot%\System32\msutil32.sys
. The username, domain name, password and old password are logged, along with a timestamp.
5) How can you use this malware to get user credentials from your test environment?
After the malware installs itself the first time, a system reboot is required to make it active. Then the malware will log credentials when the user logs out.
That’s all for this lab!