To get the filename, file size, hash calculations, file type, and other information regarding the file, we will be using CFF Explorer. When opening the file, we might encounter an error message when using the latter, as can be seen in the following screenshot:
This error is caused by MS Windows' virus protection feature. Since we are in a sandboxed environment (under a virtualized guest environment), it should be okay to disable this. Disabling this feature in a production environment can expose risks for the computer getting compromised by malware.
To disable this feature in Windows, select Start->Settings->Windows Security->Virus & threat protection->Virus & threat protection settings. Then turn off Real-time protection. You might as well turn off both Cloud-delivered protection and Automatic sample submission to prevent any security settings from blocking activities that the program that is being analyzed might perform.
The following screenshot shows Real-time protection disabled:
Opening the file with CFF Explorer reveals a lot of information, including packer identification of the file being UPX packed:
From the preceding result, we can tabulate the following file information:
Filename | whatami.exe |
File size | 28,672 bytes |
MD5 | F4723E35D83B10AD72EC32D2ECC61091 |
SHA-1 | 4A1E8A976F1515CE3F7F86F814B1235B7D18A231 |
File type | Win32 PE file – packed with UPX v3.0 |
We will have to download the UPX tool and try to decompress the file. The UPX tool can be downloaded from https://upx.github.io/. Using UPX, extract the file using the "-d" option, as follows:
upx -d whatami.exe
The result after decompressing the file, demonstrated as follows, tells us that the file originally had a size of 73,728 bytes:
So, if we re-open the file in CFF Explorer, our file information table would now include the following:
Filename | whatami.exe |
File size | 73,728 bytes |
MD5 | 18F86337C492E834B1771CC57FB2175D |
SHA-1 | C8601593E7DC27D97EFC29CBFF90612A265A248E |
File type | Win32 PE file – compiled by Microsoft Visual C++ 8 |
Let's see what notable strings we can find using SysInternals' strings tool. Strings is a command-line tool. Just pass the filename as the tool's argument and redirect the output to a file. Here is how we use it:
strings.exe whatami.exe > filestrings.txt
By removing noisy strings or text that are not relevant, we obtained the following:
!This program cannot be run in DOS mode.
Rich
.text
`.rdata
@.data
.rsrc
hey
how did you get here?
calc
ntdll.dll
NtUnmapViewOfSection
KERNEL32.DLL
MSVCR80.dll
USER32.dll
Sleep
FindResourceW
LoadResource
LockResource
SizeofResource
VirtualAlloc
FreeResource
IsDebuggerPresent
ExitProcess
CreateProcessA
GetThreadContext
ReadProcessMemory
GetModuleHandleA
GetProcAddress
VirtualAllocEx
WriteProcessMemory
SetThreadContext
ResumeThread
GetCurrentProcess
GetSystemTimeAsFileTime
GetCurrentProcessId
GetCurrentThreadId
GetTickCount
QueryPerformanceCounter
SetUnhandledExceptionFilter
TerminateProcess
GetStartupInfoW
UnhandledExceptionFilter
InterlockedCompareExchange
InterlockedExchange
_XcptFilter
exit
_wcmdln
_initterm
_initterm_e
_configthreadlocale
__setusermatherr
_adjust_fdiv
__p__commode
__p__fmode
_encode_pointer
__set_app_type
_crt_debugger_hook
?terminate@@YAXXZ
_unlock
__dllonexit
_lock
_onexit
_decode_pointer
_except_handler4_common
_invoke_watson
_controlfp_s
_exit
_cexit
_amsg_exit
??2@YAPAXI@Z
memset
__wgetmainargs
memcpy
UpdateWindow
ShowWindow
CreateWindowExW
RegisterClassExW
LoadStringW
MessageBoxA
WHATAMI
t<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<dependency>
<dependentAssembly>
<assemblyIdentity type="win32" name="Microsoft.VC80.CRT" version="8.0.50727.6195" processorArchitecture="x86" publicKeyToken="1fc8b3b9a1e18e3b"></assemblyIdentity>
</dependentAssembly>
</dependency>
</assembly>PAD
We highlighted a number of text strings. As a result, we may be expecting a number of messages to pop up by using the MessageBoxA function. With APIs such as LoadResource and LockResource, we may also encounter code that will process some data from the resource section. A suspended process may also be invoked after seeing APIs such as CreateProcess and ResumeThread. Anti-debugging may also be expected using the IsDebuggerPresent API. The program may have been compiled to use GUI-based code using CreateWindowExW and RegisterClassExW, but we do not see the window messaging loop functions: GetMessage, TranslateMessage, and DispatchMessage.
All these are just assumptions that we can better understand following further analysis. Now, let's try to do deadlisting on the file using IDA Pro.