Malware Analysis & Reverse Engineering (Case Study)



Summary of Findings 

  • Testbook3.xlsm.mlw: 64f129da1ab476723f147ec9ad92ad0d
  • Malware creation Date: 2017-04-24 01:53:22Z
  • Malware Type: Downloader Trojan

VirusTotal resulted in 27/ 57 detections as malicious. This dropper steals username and password information from the SAM database of the victim. This is evidenced by API calls made using SAMSRV.DLL. The stolen data is then sent across an encrypted communications link using  SSLv2 encryption.

The malware begins to enumerate SAM hashes from the SAM database and encrypts them before transmitting the stolen data. The malware makes use of several APIs in this process including: crypt32.dll, bcrypt.dll, ncrypt.dll, cryptdll.dll, secure32.dll. 

In the graphic below, Wireshark shows us that after a successful three-way handshake the dropper loads a Portable Executable file onto the victim host, as indicated on line 5 and the “MZ” identified in the hex section below. After the dropper has been successfully downloaded the malware establishes an encrypted connection using SSLv2, as indicated on line 12.


Volatility displays suggested Operating System profile types using the imageinfo option.


PSLIST identifies the suspected Notepad.exe as process 3860.



A close observation, in the snapshot above, reveals that the Parent Process ID (PPID) of 2624, which is EXCEL.EXE, spawned the Notepad.exe process of 3860.


This is an unusual transaction that leads us to believe the Excell.exe file contains malware. Another indicator of compromise (IOC) is the fact that the EXCEL.EXE is still in the “active” list, as seen in the snapshot above, even though the process has terminated.


Additionally, the two processes “system” and “smss.exe”, as seen above, have missing session IDs due to the system starting prior to any session establishments.  The actual session manager is the smss.exe process. At any rate, we know that it’s not normal for Excel to launch Notepad. This is an indication that the malware author intended to deceive it’s victim into believing they were launching an Excel spreadsheet attachment when in fact they weren’t.

There are many suspicious API calls made by Notepad.exe as seen below.


Process 3860 Notepad.exe makes a number of unecessary and suspicous API calls that include processes for encryption, Internet communications, and Sam database access.


Memory location 0x580000 contained an executable that’s not registered within the PEB module’s list, which caused it to be detected in this case.


Upon further examination of the memory dump for memory location 0x580000, we can see that it is a PE file that’s suspect.



Strings output below revealed many areas of concern in regards to API calls that go far beyond the requirements of a built-in text editor with the most suspicious being crypt strings and registry enumeration activities.

image12        image13

There are numerous SAM database enumeration activities going on as indicated by the strings output.  We can see the malware accessing the SAM database below.


The metsrv.dll isn’t a registered DLL. This malware uses Meterpreter to create a reverse shell to any specified listeners providing the attacker with remote access capabilities.


The GETSIDS command shows the security identifiers associated with a specific process.


As seen below, both the parent process of Excel and its associated child process of notepad both have escalated privileged of “High Mandatory Level”. With escalated privileges, the malware has more command and control over the victim host providing it with the ability to gain access, enumerate, encrypt, and transmit the stolen SAM hashes across the pre-established SSLv2 encrypted communications link.




GiHub. (2017, April 22). Retrieved August 20, 2017, from

GitHub. (2017, April 22). Command Reference. Retrieved August 20, 2017, from

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.