The following table concerns the file elements we found.
The original file is a UPX-packed Win32 executable file.
Filename | whatami.exe |
File size | 28,672 bytes |
MD5 | F4723E35D83B10AD72EC32D2ECC61091 |
SHA-1 | 4A1E8A976F1515CE3F7F86F814B1235B7D18A231 |
File type | Win32 PE file – packed with UPX v3.0 |
The UPX unpacked version gives us this new information about the file:
Filename | whatami.exe |
File size | 73,728 bytes |
MD5 | 18F86337C492E834B1771CC57FB2175D |
SHA-1 | C8601593E7DC27D97EFC29CBFF90612A265A248E |
File type | Win32 PE file – compiled by Microsoft Visual C++ 8 |
The program maps an unknown PE file using process hollowing. This PE file contains the following information:
File size | 53,248 bytes |
MD5 | DD073CBC4BE74CF1BD0379BA468AE950 |
SHA-1 | 90068FF0C1C1D0A5D0AF2B3CC2430A77EF1B7FC4 |
File type | Win32 PE file – compiled by Microsoft Visual C++ 8 |
A file downloaded from https://raw.githubusercontent.com/PacktPublishing/Mastering-Reverse-Engineering/master/ch12/manginasal is stored in a file as unknown. Here is the file's information:
Filename | unknown |
File size | 3,008 bytes |
MD5 | 05213A14A665E5E2EEC31971A5542D32 |
SHA-1 | 7ECCD8EB05A31AB627CDFA6F3CFE4BFFA46E01A1 |
File type | Unknown file type |
The unknown file was decrypted and stored using the filename "imagine", containing the following file information:
Filename | imagine |
File size | 3,007 bytes |
MD5 | 7AAF7D965EF8AEE002B8D72AF6855667 |
SHA-1 | 4757E071CA2C69F0647537E5D2A6DB8F6F975D49 |
File type | PNG file type |
To recap what behaviors it executed, here is a step-by-step process:
- Displays a message box: "How did you get here?"
- Decrypts a PE image from the resource section
- Uses process hollowing to replace "calc" with a decrypted PE image
- Displays a message box: "Learning reversing is fun. For educational purposes only. This is not a malware."
- Sleeps for 5 minutes
- Checks the connection to the "mcdo.thecyberdung.net:9999" server
- Downloads the file from raw.githubusercontent.com
- Decrypts the downloaded file and outputs of result to a PNG image file.
- Retrieves the default internet browser path
- Displays the PNG image file using the default internet browser