Table of Contents

A.1: Software Exploitation (Direct Code Injection)................................................................................. 3

Planning ................................................................................................................................................... 3
Finding Buffer Overflow via Fuzzing.................................................................................................... 3
Analysis of Stack ..................................................................................................................................... 4
Preparing Shellcode from C Code ....................................................... Error! Bookmark not defined.
Planning the Overflow ............................................................................................................................ 6
Determine Addresses .............................................................................................................................. 6
Final Byte Stream ................................................................................................................................... 7
Injection ................................................................................................................................................... 7
B.1 Static Malware Analysis Report: Environment Design and Procedures ........................................ 7
Introduction ............................................................................................................................................. 7
Environment Design ............................................................................................................................... 7
Secure Analysis Environment ............................................................................................................ 7
Arsenal of Analysis Tools ....................................................................................................................... 8
Procedures for Static Malware Analysis ............................................................................................... 8
File Type Identification ...................................................................................................................... 8
File Inspection ..................................................................................................................................... 8
String Analysis ........................................................................................................................................ 8
Fingerprinting ..................................................................................................................................... 9
Static Analysis Tools ........................................................................................................................... 9
Disassembling and/or Decompiling ................................................................................................... 9
Comparing and Classifying Malware ............................................................................................... 9
Expected Outcomes............................................................................................................................... 10
Malware Type Determination .......................................................................................................... 10
Potential Behavior Identification..................................................................................................... 10
IOCs Extraction ................................................................................................................................ 10
Packing/Obfuscation Analysis ......................................................................................................... 10
B.2 Static Malware Analysis (Analysis of needle3.exe and job.dll) ...................................................... 10
File Type Identification ........................................................................................................................ 10
File Inspection ....................................................................................................................................... 13
Extract ASCII & Unicode Strings ....................................................................................................... 14
Spot Anomalous Aspects of needle.exe and job.dll ............................................................................ 18
Import libraries, imported functions and API calls ....................................................................... 18
 Exported functions and/or API calls ............................................................................................... 19
Static Analysis With VirusTotal ...................................................................................................... 19
Static Code Analysis ......................................................................................................................... 26
B.3 – Static Malware Analysis (Analysis of golf.exe) ............................................................................. 29
File type Identification .......................................................................................................................... 29
File Inspection ....................................................................................................................................... 30
Extract ASCII & Unicode Strings ....................................................................................................... 32
Spot Anomalous Aspects of golf.exe .................................................................................................... 33
Imported libraries, functions, and API calls........................................................................................ 33
Static Analysis using VirusTotal ...................................................................................................... 33
A.1: Software Exploitation (Direct Code Injection)
Planning
The challenge consists of exploiting explo7.c to overflow the buffer on the call stack, change the
return address without crashing, and jump to code injected onto the stack. The attacker's code is
a printf function call that includes its own character string on the stack (via buffer overflow). Our
target is the explo7_x executable.
This is the target program (called a 'process' when running) into which we plan to inject our
executable code. Our goal is to inject some basic code into a library call using the arguments of
our choice. The software is an echo server that listens on a certain port number and awaits an
incoming TCP connection from the client. The client transmits a byte stream to the server.

A Python script named tcp_client1.py is used to implement our client.

Finding Buffer Overflow via Fuzzing

As can be seen from the above, a segmentation fault occurs when a byte stream of 70 bytes is
supplied as input to our target application.
This is because the Return Address was rewritten with 0x44444444, which is DDDDDD in ASCII.
The byte stream that caused this to occur is:
Analysis of Stack
Next, we try to find an offset for the Return location from the beginning of the memory location
where the byte stream is placed on our target program's stack. Following more investigation, we
learned that the buffer holding the byte stream is located in our target program's connection_loop
function.
To find the offset, establish a breakpoint before the function's completion.

Restart the process, send the byte stream above, and wait until the breakpoint is reached.
As shown above, the byte stream is saved on the stack beginning at 0xf7ff963c, and ebp points to
0xf7ff9678, where the old ebp is kept.
Next to it, the Return Address is recorded at 0xf7ff967c.
So the offset is 64 bytes.
Creating Shellcode from C Code
We wish to generate machine code for printf(). Create a simple program that includes our code:

Compile, then inspect the object code for the code_in function (objdump -S msg_machine_code).

Printf() corresponds to five machine instructions: sub, lea, push, call, and add.
The sub subtracts 0xC from the stack pointer. The push then adds a 32-bit integer on the stack,
subtracting 4 more bytes from the Stack Pointer. The number it places on the stack represents the
address of the string to be printed. The call stores the return address of the following instruction
(the add) on the stack and subtracts the Stack Pointer by 4 bytes.
After the call to puts, the add then corrects the Stack Pointer because this puts() has ended;
The Stack Pointer is restored, with 0x10 (= 16) appended to it. (i.e. 12 from the sub and 4 from
the push). The printf() function generates 16 bytes of machine code, followed by three bytes each
for the nop, leave, and ret.
So our targeted code insertion will be 19 bytes in total. We need to think more about the code,
namely the addresses encoded inside it.
We’ll return to that in a moment. An overview of our CODE from msg_machine_code (the
code_in function) now looks like this:
\x83\xec\x0c\x68\xss\xss\xss\xss\xe8\xrr\xrr\xrr\xrr\x83\xc4\x10\x90\xc9\xc3
Planning the Overflow
NOPs(10)+Code(19)+Space(8)+Helloooo+Space(16)+BasePointer(4)+ReturnAddressToCode(4)
+OriginalOldEBPStored(4)+OriginalReturnAddress (4)
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x83\xec\x0c\x68\xss\xss\xss\xss\xe8\xrr\xr
r\xrr\xrr\x83\xc4\ x10\
Hellooo AAAAAAAAAAAAAAAA \x80\x96\xff\xf7 \x46\x96\xff\xf7 \xB8\x96\xff\xf7
\x1e\xa2\x04\x08
Determine Addresses
Let's analyze the call stack of the target process.

The overflowing character buffer begins at 0xf7ff963c, and the stored base address is 60 (=0x3c)
bytes later at 0xf7ff9678.
The return address is the next one on the stack, at 0xf7ff967c. This return address will be
populated with the address of the injected code.
0xf7ff968c
ReturnAddressToCode: \x43\x96\xff\xf7 Afterward, OriginalOldEBPStored is saved at
0xf7ff9680. RetAddrOrig will be the return address to the initial return location.
0xf7ff9684
The original return address is 0x0804a21e -> \x1e\xa2\x04\x08.
Outline of our byte stream thus far: CODE-- \x90AAAAAAAA Hellooo
AAAAAAAAAAAAAAA \x80\x96\xff\xf7 \x46\x96\xff\xf7 \xb8\x96\xff\xf7 \x1e\xa2\x04\x08.
Final Byte Stream
The final byte stream comprises the resolved address of puts and machine codes of instructions
for printf():
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x9
0\x90\x90\x90\x90\x90\x90\x90\x90\x83\xec\x0c\x68 \x61\x96\xff\xf7 \xe8
HelloooAAAAAAAAAAAAAA \x80\x96\xff\xf7 \x46\x96\xff\xf7 \xb8\x96\xff\xf7
\x1e\xa2\x04\x08.
Injection
Using the above byte stream on a Python client.

B.1 Static Malware Analysis Report: Environment Design and Procedures

Introduction
Static malware analysis is an important part of cybersecurity since it allows you to examine
malware without having to execute it, knowing its subtleties and potential consequences. This
study details the environment setup and techniques for static malware analysis, with a focus on
an unidentified infection that may be operating on Windows 10.
Environment Design
Secure Analysis Environment
Virtualization Mastery: Virtualization Mastery: Using the advanced features of VMware or
VirtualBox, we create an impenetrable fortress of analysis, shielding our immaculate Windows
10 virtual PC from malware's evil intentions.
Network Segmentation Artistry: By performing thorough network segmentation, we limit
malware's illicit communication inside the limits of our analytic environment, safeguarding the
integrity of our operating architecture.
Arsenal of Analysis Tools
IDA Pro: Unraveling the Mysteries of Code With IDA Pro, we can navigate the labyrinthine
code structures, revealing the dense tapestry of assembly instructions that constitute the core of
the infection.
CFF Explorer: Exploring the Depths of PE Files: Using the capabilities of CFF Explorer, we
explore deep into the heart of Portable Executable (PE) files, uncovering hidden jewels of
information and file structure details.
Hex Editor HxD: Using the lighting capabilities of Hex Editor HxD, we methodically study file
headers and metadata, throwing light on the gloomy depths where malware hides its secrets.
Detect It Easy: The Beacon for File Type Identification: Using Detect It Easy as our guiding
light, we travel the tumultuous seas of file kinds, charting our route through the stormy seas of
malware obscurity.
Procedures for Static Malware Analysis
File Type Identification
Tools Used:
Detect It Easy.
Hex Editor HxD.
Procedures:
Employ Detect It Easy for swift file type identification, cross-referencing with Hex Editor HxD
for file header scrutiny.
File Inspection
Tools Used:
Exiftool.
Exeinfo PE.
UPX.
Procedures:
Utilize exiftool for metadata inspection, Exeinfo PE to uncover potential packers and cryptors,
and UPX for unpacking if necessary.
String Analysis
Tools Used:
strings2.
Pestudio.
FireEye Labs Obfuscated String Solver (FLOSS).
Procedures:
Strings2 and Pestudio are used to extract ASCII and Unicode strings, with FLOSS being used for
obfuscated strings.
Fingerprinting
Tools Used:
HashMyFiles.
VirusTotal.com.
Procedures:
Calculate MD5 and SHA-256 hash values with HashMyFiles, cross-referencing against
VirusTotal.com for malware identification.
Static Analysis Tools
Tools Used:
PEiD.
PEview.
CFF Explorer.
Procedures:
Use PEiD, PEview, and CFF Explorer to examine PE files, inspecting imported libraries,
functions, and API calls.
Disassembling and/or Decompiling
Tools Used:
IDA Pro.
Procedures:
Disassemble executable code with IDA Pro, analyzing assembly patterns and control flow.
Decompiling capabilities offered by IDA Pro aid in understanding complex code structures.
Comparing and Classifying Malware
Tools Used:
Ssdeep.
Python3.9 pefile module.
YARA.
Procedures:
Conduct fuzzy hashing with ssdeep for similarity analysis. Utilize Python3.9 pefile module for
import and section hashing. Employ YARA rules for pattern identification and classification.
Expected Outcomes
Malware Type Determination
Identify the malware type, ranging from ransomware, trojans, worms, to potentially more
sophisticated forms such as rootkits and spyware. Through deep analysis of code structures and
behavioral patterns, establish a comprehensive understanding of the malware's classification.
Potential Behavior Identification
Uncover potential actions orchestrated by the malware, including but not limited to network
communication, file manipulation, registry changes, privilege escalation attempts, and payload
delivery mechanisms. Through meticulous examination of code snippets, system calls, and API
interactions, discern the malware's behavioral profile.
IOCs Extraction
Extract Indicators of Compromise (IOCs) for both network and endpoint detection. By isolating
peculiar patterns, signatures, and artifacts within the malware, compile a comprehensive list of
IOCs to enhance threat detection capabilities and fortify the organization's cyber defenses.
Packing/Obfuscation Analysis
Determine if the malware is packed or obfuscated, potentially revealing evasion techniques
employed by threat actors to evade detection and analysis. Through specialized tools and manual
inspection, unveil the layers of protection surrounding the malware, unmasking the intricate
methods used to cloak its true nature.

B.2 Static Malware Analysis (Analysis of needle3.exe and job.dll)

1. Use Detect It Easy to identify file types.

2. Use Detect It Easy to extract metadata and Exeinfo PE to detect Packers and Cryptors.
3. Use BinText to extract ASCII and Unicode strings from golf.exe.
4. Utilize static analysis tools (peframe) and disassemble golf.exe with IDA Pro to identify
any anomalies.
File Type Identification
Using Detect. The file types of needle.exe and job.dll are easily identifiable.
Filename Job.dll
Type PE64 DLL
MD% Hash 6d7cd009b59c830890e0f03d5af1fcc5
Compiler Used Microsoft Visual C/C++(19.26.28806)[C]
Linker Used Microsoft Linker(14.26.28806)
 Language C/C++

Needle.exe:
 Filename Job.dll
Type PE64 DLL
MD% Hash 2ac1f1db6d3d5ad4d76254b810b870d1
Compiler Used Microsoft Visual C/C++(19.28.30040)[C++]
Linker Used Microsoft Linker(14.28.30040)
Language C/C++

File Inspection
Detect It Easy is used to find metadata and check for any packers or cryptors.

Filename Needle3.exe
No. of Sections 0x000b
Import DLLs Kernel32.dll, Advapi32.dll
No. of Imported Functions Kernel32.dll(97), Advapi32.dll(1)
Base_Address 0x0000000140000000
Entry_Point Address 0x0000000140064fe0

Jobb.dll:
 Filename Needle3.exe
No. of Sections 0x000b
Import DLLs Kernel32.dll
No. of Imported Functions Kernel32.dll(13)
Base_Address 0x0000000180000000
Entry_Point Address 0x00000001800011b0

Extract ASCII & Unicode Strings

Using BinText, pestudio, and/or string2 to examine strings on a Windows 10 virtual machine.
0000000D13A0 0000E00D13CD 0 entry
0000000D1420 0000E00D144D 0 user_name
0000000D1430 0000E00D145D 0 user_name_size
0000000D1500 0000E00D152D 0 dllLibFullPath
0000000D1574 0000E00D15A1 0 IEUser
0000000D1580 0000E00D15AD 0 user is bad
0000000D1590 0000E00D15BD 0 user is good
0000000D15A0 0000E00D15CD 0 explorer.exe
0000000D15B0 0000E00D15DD 0 c:\jobb.dll
0000000D15C0 0000E00D15ED 0 [x] Cannot find process %s
0000000D15E8 0000E00D1615 0 [*] Found process %s(PID = %d)
0000000D1610 0000E00D163D 0 [x] Cannot get full path to %s
0000000D1638 0000E00D1665 0 [*] DLL library %s was successfully found
0000000D1670 0000E00D169D 0 [x] Cannot open process with id %d
0000000D16A0 0000E00D16CD 0 [x] Cannot allocade memory for DLL-library
0000000D16D8 0000E00D1705 0 [*] Allocated %d bytes at %#08x region
0000000D1708 0000E00D1735 0 [x] Cannot write process memory
0000000D1730 0000E00D175D 0 LoadLibraryA
0000000D1740 0000E00D176D 0 kernel32.dll
0000000D1750 0000E00D177D 0 [*] Starting remote thread at process %s(PID = %d)
0000000D1790 0000E00D17BD 0 [-] Cannot create remote thread in process with id %d
0000000D1828 0000E00D1855 0 Stack around the variable '
0000000D1848 0000E00D1875 0 ' was corrupted.
0000000D1860 0000E00D188D 0 The variable '
0000000D1870 0000E00D189D 0 ' is being used without being initialized.
0000000D18C0 0000E00D18ED 0 The value of ESP was not stored properly during a
function call. This is often caused by invoking a function defined with one calling convention
with a function pointer declared with another calling convention.
0000000D19D0 0000E00D19FD 0 A cast to a smaller data type resulted in data loss. If
this was done on purpose, you should mask the source of the cast using the proper bitmask. For
example:
0000000D1A79 0000E00D1AA6 0 char c = (i & 0xFF);
0000000D1A90 0000E00D1ABD 0 Changing the code in this way will not affect the
quality of the resulting optimized code.
0000000D1B28 0000E00D1B55 0 Stack memory was corrupted
Jobb.dll:
000000000AC8 000000000A55 0 VirtualAllocEx
000000000ADA 000000000A67 0 WriteProcessMemory
000000000AF0 000000000A7D 0 CreateSemaphoreA
000000000B02 000000000A8F 0 KERNEL32.dll
000000000C0A 000000000B97 0 AQAPRQH1
000000000CB2 000000000C3F 0 AXAXH
000000000CBA 000000000C47 0 YZAXAYAZH
000000000CCA 000000000C57 0 XAYZH
000000000CD9 000000000C66 0 ws2_32
000000000CF6 000000000C83 0 {{{{ATI
000000000D83 000000000D10 0 j@AYh
000000000DB9 000000000D46 0 }(XAWYh
000000001C00 000000001B8D 0 Local\tFXPD9P69t0YRk8ONCPs
000000001D10 000000001C9D 0 Local\xdLfRqJGKb3sEiGVYdW2
000000001E18 000000001DA5 0 rundll32.exe
00000000004D 00000000004E 0 !This program cannot be run in DOS mode.
Spot Anomalous Aspects of needle.exe and job.dll
Import libraries, imported functions and API calls

ADVAPI32.dll

GetUserNameA

KERNEL32.dll
CloseHandle GetConsoleMode GetProcAddress
CompareStringW GetConsoleOutputCP GetProcessHeap
CreateFileW GetCPInfo GetStartupInfoW
CreateRemoteThread GetCurrentProcess GetStdHandle
CreateToolhelp32Sna GetCurrentProcessId GetStringTypeW
pshot

DeleteCriticalSection GetCurrentThread GetSystemInfo

EncodePointer GetCurrentThreadId GetSystemTimeAsFileTime
EnterCriticalSection GetDateFormatW GetTimeFormatW
EnumSystemLocales GetEnvironmentStrings GetUserDefaultLCID
W W
ExitProcess GetFileSizeEx HeapAlloc
FindClose GetFileType HeapFree
FindFirstFileExW GetFullPathNameA HeapQueryInformation
FindNextFileW GetLastError HeapReAlloc
FlushFileBuffers GetLocaleInfoW HeapSize
FreeEnvironmentStrin GetModuleFileNameW HeapValidate
gsW

FreeLibrary GetModuleHandleA InitializeCriticalSectionAndSpi

nCount

InterlockedFlushSList LCMapStringW InitializeSListHead

InterlockedPushEntry LeaveCriticalSection Process32First
SList
 IsDebuggerPresent LoadLibraryExW Process32Next
IsProcessorFeaturePre MultiByteToWideChar QueryPerformanceCounter
sent

IsValidCodePage OpenProcess RaiseException

IsValidLocale OutputDebugStringW ReadConsoleW
RtlCaptureContext SetStdHandle WriteConsoleW
RtlLookupFunctionE SetUnhandledException WriteFile
ntry Filter

RtlPcToFileHeader TerminateProcess WriteProcessMemory

RtlUnwind TlsAlloc
RtlUnwindEx TlsFree
RtlVirtualUnwind TlsGetValue
SetConsoleCtrlHandl TlsSetValue
er
SetEnvironmentVaria UnhandledExceptionFilt
bleW er

SetFilePointerEx VirtualAllocEx
SetLastError VirtualQuery

Exported functions and/or API calls

Job.dll
DllEntryPoint

Static Analysis With VirusTotal

Jobb.dll:
Static Code Analysis
Needle3.exe:
First the needle3.exe is checking the present user name with GetUserNameA.
According to the given user, it stops himself or executes itself continuously.

The code then verifies that it is not currently executing in the debugger. If so, it will come to an
end on its own.

needle3.exe locates explorer.exe & takes it’s process-id.

If explorer.exe is identified, it uses the GetFullPathNameA API call to obtain the complete path to
job.dll. If successful, the complete path to job.dll will be saved in the DLL Path.

The OpenProcess API method is used to retrieve the process handle of explorer.exe via its PID.
Following a successful handle to explorer.exe request, a VirtualAllocEx API call is used to allocate
memory.

Using the WriteProcessMemory API function, the job.dll is written to the base address of memory
that has been allotted inside of Explorer.exe.

After job.dll is successfully written to explorer.exe’s memory, explorer.exe uses the

CreateRemoteThread API function to establish a new thread, with LoadLibrary as the start
address.a base address job parameter and an exposed kernel32.dll function.Written memory of dll.
The explore.exe process is being injected with a DLL by Needle3.exe. It suggests that the
application fits the definition of a Trojan, more precisely a DDL Injector.

B.3 – Static Malware Analysis (Analysis of golf.exe)

1. Detecting file types using Detect It Easy
2. File inspection to use Detect It Easy to extract metadata and look for indications of
packers and cryptors
3. Use programs like BinText to extract ASCII and Unicode strings that are contained in
golf.exe.
4. Use IDA Pro to disassemble golf.exe and the static analysis website VirusTotal to
identify any unusual features.
File type Identification

Use Detect-It-Easy to find file type & some other data of golf.exe.
 Filename golf.exe
Type PE32 Executable
MD5 Hash 9731ec6c1475701ecd541aee28b3ca7a
Linker Used Microsoft Visual C# or Basic.NET or
Microsoft VB
Packer Info Explore and analyze .NET assemblies with
.NET Reflector v10 : www.red-gate.com - IF
file is packed try .NET Generic unpacker :
www.quequero.org/Pack_Unpack
Language C#

File Inspection

Use Detect It Easy to extract all of the metadata and search for any packers or cryptors that may
have been utilized.
Filename golf.exe
No. of Sections 0x0003
Import DLLs mscoree.dll
No. of Imported Functions mscoree.dll(1)
Base_Address 0x00400000
Entry_Point Address 0x00402dbe
Extract ASCII & Unicode Strings

Using BinText, pestudio, or string2, examine the strings on a Windows 10 virtual machine.

000000000F34 000000402D34 0 C:\Users\Kenny Sanderson\code\golf\obj\Debug\golf.pdb

000000000FA0 000000402DA0 0 _CorExeMain
000000000FAC 000000402DAC 0 mscoree.dll
0000000010D4 000000402ED4 0 ws2_32
0000000014DF 0000004042DF 0 <?xml version="1.0" encoding="UTF-8"
standalone="yes"?>
00000000151A 00000040431A 0 <assembly xmlns="urn:schemas-microsoft-com:asm.v1"
manifestVersion="1.0">
000000001565 000000404365 0 <assemblyIdentity version="1.0.0.0"
name="MyApplication.app"/>
0000000015A7 0000004043A7 0 <trustInfo xmlns="urn:schemas-microsoft-
com:asm.v2">
0000000015DF 0000004043DF 0 <security>
0000000015EF 0000004043EF 0 <requestedPrivileges xmlns="urn:schemas-microsoft-
com:asm.v3">
000000001635 000000404435 0 <requestedExecutionLevel level="asInvoker"
uiAccess="false"/>
00000000167C 00000040447C 0 </requestedPrivileges>
00000000169A 00000040449A 0 </security>
0000000016AB 0000004044AB 0 </trustInfo>
0000000016BB 0000004044BB 0 </assembly>
000000000CA8 000000402AA8 0 created by kdawg/vim squad!! If you want to find us
you know what to do..
000000000D3E 000000402B3E 0 golf.exe

Spot Anomalous Aspects of golf.exe

Import libraries, functions, and API calls

mscoree.dll
_CorExeMain

Static Analysis using VirusTotal