This malware is from Practical Malware Analysis Lab 11-1. I will start from this book and probably include some malwares from other sources in the future.

Static analysis


I always start from basic static analysis and this is probably what most people will do. PEID shows this file has no packer. So we just start analysis straightforward. Since we know nothing about this malware right now. I simply use the string.exe in the SysinternalSuite to find useful clues. After applying this, I see some interesting strings in the .exe file.

• Software\Microsoft\Windows NT\CurrentVersion\Winlogon
• Msgina.dll
• Many functions with Wlx prefix

This result makes me believe this malware sample is likely doing GINA interception. What is GINA interception? GINA means Graphical Identification and Authentication. This allows third-party customizing the logon process. So likely malwares can take advantage of this process. Basically, GINA works like this: winlogon.exe call the msgina.dll. And what third parties can do is to insert a .dll between the winlogon.exe and the msgina.dll which looks like this:

Winlogon.exe → malicious.dll → msgina.dll

So in this case, we can see that malicious.dll should can get the password from winlogon.exe. But it also has to make sure that it exports those functions needed by msgina.dll and most of these functions has prefix of Wlx. Also in order to let winlogon.exe call the malicious.dll it has to change a value in registry which is the first string that we are interested in.

After this, I’d love to use the dependency worker and CFF to see what’s in this file. This is what we got from the dependency worker.

We find that the file imports KERNEL32.DLL and ADVAPI32.DLL. In KERNEL32.DLL, there are CreateFile and WriteFile. Also I use CFF and find there is a .rsrc section whose virtual size is much bigger than raw size. Combining these two clues, I think it probably will drop a file. And we also see the ADVAPI32.DLL which changed the registry that we mentioned before. After this, it’s time for us to start dynamic analysis.

Dynamic analysis


I will start regshot and Process Monitor right now. And after double clicking the malware we can see that there is a msgina32.dll in the same directory which should be the man-in-the-middle .dll in the GINA interception attack.

Also we see there is a change to
HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\GinaDLL
from regshot. So we go to this registry key and find its value is C:\msgina.dll which is the directory for that malicious .dll the file dropped. This is how it achieves GINA interception.

From Process Monitor, we didn’t find anything it create except the msgina.dll. So probably it will create a file after the system reboots and writes the login information into that file.

Advanced analysis


Let’s load the msgina32.dll into ida. We will see this branch in the DLLmain function.

The left side is the function to load the original msgina.dll. We can see the code mov hModule,eax here which is used to indicate which function that msgina32.dll is going to call from the msgina.dll to make sure that the whole login process is fine. You can check that in the export functions of msgina32.dll it uses this to get the address of the functions in the msgina.dll.

So what the malicious can do is to change the export functions. Which means that it can do something before it call the function in the msgina.dll. After searching for a while, we find the export function WlxloggedoutSAS is suspicious because it contains more things than others.

Let’s click the sub_1ooo1570, we finally see how the .dll save the login information.

Here is the “msutil32.sys” which seems like a driver file but it is just used to save information. This is located at C:\Windows\system32 where the logon.exe is.

So you can just logout and login on windows so you will see that the password is in the file right now.

So we are nearly done with this malicious binary. You can do more if you want.

Any questions, you can contact me at
xudong_shao@hotmail.com