How the Malware Analysis Appliance (MAA) analyzes DLL files

book

Article ID: 168427

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

This article explains the analysis of dlls using the rundll32 iVM plugin 

Resolution

Step 1: Importing the rundll plugin
  1. Import the rundll32.py MAA plugin and verify that it is available for tasks.
  2. Login to your MAA appliance using SSH with the g2 user.
  3. Run this command to import the plugin: $ python /opt/mag2/github/Malware-Analyzer-G2/utilities/mag2.py import-ivm-plugin /opt/mag2/github/Malware-Analyzer-G2/ivm_plugins/bluecoat/rundll32.py
  4. Output should read:  imported rundll32.py as sample resource id XXX
  5. Verify that the plugin has imported correctly by creating a new task and opening the plugins tab
User-added image

Step 2: Run the dll sample in the SBX or iVM with default options and determine what EXPORTS (entry points) are available for the sample being submitted.

This step can be completed in lieu of performing manual analysis on the file.  Note: In most cases, SBX execution takes just a few seconds and is much faster than invoking manual analysis.  Once analysis has completed, select View Static Event List from the report

Exports
 
Step 3: Pick the dll export you want to invoke with the rundll32.py plugin with and create a new task.  

When creating a new task with the dll select the advanced options tab. Enter the chosen export and optional arguments using this syntax: {SAMPLE.EN_US}, export [optional arguments]

Examples:
execargs

Select the rundll32 plugin from the Plugins tab.

Attachments