Anti-disassembler techniques 2018

Recommendations:

• When you are dealing with assembly that has been handcrafted to confuse the disassembler, it is usefull to look at the machine language bytes of each instructions or data. You can turn this by: Options - General - Number of opcode bytes (non-graph) set to 6.

In this lab we will be analyzing an executable that uses some of the anti-disassembly techniques to hide its true evil nature. It is calssified as malware by virustotal.com so proceed with caution. Perform static analysis on your linux VM.

This lab is an adaptation of Lab 15-3 from the awesome "Practical Malware Analysis" book.

1. Download the executable available at http://rarceresearch.fun/misc/Lab15-03-pr.exe. Perform static analysis using IDA Pro Demo to follow the steps bellow and answer the questions.

2. The code contains some exports that, used in combination, can be used for dubious purposes. For instance, a call to URLDownloadToFileA might be used to download a malware executable file from a website, then WinExec can be called to execute the malware.

3. Examine the calling functions to URLDownloadToFileA. Did IDA identify a path from the main function to URLDownloadToFileA?

4. Go back to the main function and use your anti-disassembly knowledge to try to understand how the seemingly harmless main ends up calling other malicious subroutines.

5. Explain what the malicious code invoked by main does.

6. From what URL is a file downloaded? (Hint the name is encoded using a simple XOR ciphering scheme).

7. What is the name of the file that is downloaded and run by WinExec?