Report Scan 32  -  Analysis of RADA.EXE (THE BINARY) (Malware)

Author: Ronald Romero email: [email protected] - Venezuela

Table of Contents


1.- Reception of Evidence To analyze

2.- Used Hardware and Software.

3.- Compilation of Information.

4.- Analysis of the collected Data.

4.1.- Decompiling the Executable

4.1.1.- Tools required

4.1.2.- Initial Inspection

4.1.3.- Determining Binary Protection

4.1.4.- Disassembling.

4.1.5.- Decompilation

4.2.- Analysing Information generate by Binary.

5.- Answers



This is an analysis of RADA.EXE binary, for the HoneyNet Reverse Challenge in September. This is a technical analysis, and assumes the reader has prior programming experience, but does not necessarily have experience in the field of reverse engineering.


This analysis is structured in five sections.


The first section is referred to the handling of the evidence of the case exposed by Honeynet and describes to the procedure of reception and authentication of digital evidence, the Second section describes to the used hardware and software in all the analysis, the Third section talks about to the procedure of harvesting of information generated in the execution of the binary one in a controlled environment by programs of monitories in real time for its later analysis in the fourth section where also the Decompilation of binary applying the technical ones of reverse engineer is made and arriving until the detail from the reconstruction from the project with its forms and the code in assembler of the functions executed by this.


The section finishes with answer the questions make to .SCAN 32.


1.- Reception of Evidence To analyze


This month's challenge is to analyze a home-made malware binary.

The binary one is published in the page Web in file  


It download and verify checksum with program Md5Sum and WinHex



A75DE27EE59AB60E148EFE7FEEE5DD3F  WinHex

A75DE27EE59AB60E148EFE7FEEE5DD3F (Checksum WEB)


The binary one is a feasible one of WIN PE (Portable Execute).

With Windows 95/NT, a new executable file type was required. Thus was born the "PE" Portable Executable, which is still in use. Unlike its predecessors, WIN-PE is a true 32bit file format, supporting relocatable code. It does distinguish between TEXT, DATA, and BSS.

2.- Used Hardware and Software.

For the analysis of the binary one the following resources were used


-          Computer PIV 2.26 Ghz, 1 Gb RAM Memory, HD 40Gb and HD 10 Gb

-          Monitor 17”

-          USB Data Travel 256 Mb

-          USB Storage HD 20 Gb

-          Switch 10/100



-          Windows XP SP1

-          MS Office 2003

-          WinHex 11.5

-          Regmon (Sysinternal Tool)

-          Filemon (Sysinternal Tool)

-          TDIMon (Sysinternal Tool)

-          ProcessXP (Sysinternal Tool)

-          BinText (Foundstone)

-          Necat

-          IDA 4.50

-          BV Decompiler

-          UPX (Ultimate Packer for eXecutables)

-          WinCap 3.1

-          Ethereal

-          VMWare Workstation 4.5

-          Dependency Walker


3.- Compilation of Information.


I settled a working station VMWare for the gathering and monitoring of the data generated by the execution of the binary one. In the same one I installed the Windows Xp with the MS Office 2003 as platform it bases for the tests.

After concluding the installation and configuration I proceeded to the capture of the data in real time of the execution of the binary one. The program Filemon was activated for monitoring of the operations of  I/O in the disk at file level, The regmon for monitoring the operations with the registry, TDIMon for monitoring the accesses to the network  interface and the Ethereal to capture the incoming and salient packages of the different protocols IP, TCP, UDP, ARP, etc. I was also carried out a dump of the memory RAM with the tool WinHex 11.5 for their later analysis.

The obtained data were stored directly in the unit USB Storage HD, after concluding with the gathering of the information generated by these programs; I proceeded to the analysis of the same one.

4.- Analysis of the collected Data.

4.1.- Decompiling the Executable


The information compiled in section three, will be taken like begin point to make so arduous task of disturbing the elements that take to respond all the incognitos to us in relation to the binary one analyzed.


4.1.1.- Tools required

Standard Windows development environment including:

ü      Windows XP SP1

ü      MS Office 2003

ü      WinHex 11.5

ü      BinText (Foundstone)

ü      Necat

ü      IDA 4.50

ü      BV Decompiler

ü      UPX

ü      WinCap 3.1

ü      Ethereal

ü      VMWare Workstation 4.5

ü      Dependency Walker


Patience and perseverance are useful and very important factory.


4.1.2.- Initial Inspection

In order to inspect initial, we will make the obtained analysis of log of section three, where we executed the binary one in a controlled environment to observe as it was its behavior.

Taking advantage of the upset one ram memory, we analyzed the same one with the BinText tool, and found much information important that it identified the atmosphere in which the binary one had been developed.


0000004D   0040004D      0   !This program is the binary of SotM 32..

000001B8   004001B8      0   .text

000001E0   004001E0      0   .data

00000208   00400208      0   .rsrc




00002378   00402378      0   Form1

00002380   00402380      0   Module1

00002654   00402654      0   Command_install

00002674   00402674      0   You can learn a lot playing funny security challenges

000026DC   004026DC      0   Command_usage

000026EC   004026EC      0   Command_exit

000026FC   004026FC      0   Command_conf

0000271C   0040271C      0   Label1

00002724   00402724      0   Label2

0000272C   0040272C      0   Label3

00002734   00402734      0   Command_go

00002740   00402740      0   Command_uninstall

0000278C   0040278C      0   user32

00002798   00402798      0   keybd_event

000027DC   004027DC      0   kernel32

000027EC   004027EC      0   Sleep

0000289C   0040289C      0   VBA6.DLL




00003D96   00403D96      0   Form1

00003DBA   00403DBA      0   Command_uninstall

00003DD0   00403DD0      0   Uninstall

00003DF2   00403DF2      0   MS Sans Serif

00003E08   00403E08      0   Command_install

00003E1C   00403E1C      0   Install

00003E3C   00403E3C      0   MS Sans Serif

00003E52   00403E52      0   Command_exit

00003E80   00403E80      0   MS Sans Serif

00003E96   00403E96      0   Command_usage

00003EA8   00403EA8      0   Show usage

00003ECB   00403ECB      0   MS Sans Serif

00003EE1   00403EE1      0   Command_conf

00003EF2   00403EF2      0   Show config

00003F16   00403F16      0   MS Sans Serif

00003F2C   00403F2C      0   Command_go

00003F59   00403F59      0   MS Sans Serif

00003F6F   00403F6F      0   Label3

00003F7A   00403F7A      0   (c) Raul Siles && David Perez

00003FB2   00403FB2      0   Comic Sans MS

00003FC8   00403FC8      0   Label2

00003FD3   00403FD3      0   SotM 32 - September 2004

00004006   00404006      0   Comic Sans MS

0000401C   0040401C      0   Label1

00004046   00404046      0   Comic Sans MS




0000B86C   0040B86C      0   MSVBVM60.DLL




00001A3F   00401A3F      0   @*\ASecurity through obscurity is the key.

00002394   00402394      0   v0.22

000023A4   004023A4      0

000023D8   004023D8      0   RaDa_commands.html

00002404   00402404      0   cgi-bin

00002418   00402418      0   download.cgi

00002438   00402438      0   upload.cgi

00002454   00402454      0   C:\RaDa\tmp

00002470   00402470      0   filename

00002488   00402488      0   HKLM\Software\Microsoft\Windows\CurrentVersion\Run\

00002504   00402504      0   REG_SZ

00002518   00402518      0   C:\RaDa\bin

00002534   00402534      0   RaDa.exe

0000254C   0040254C      0   HKLM\Software\VMware, Inc.\VMware Tools\InstallPath

000025B8   004025B8      0   Starting DDoS Smurf remote attack...

00002830   00402830      0   Visible

00002844   00402844      0   --period

0000292C   0040292C      0   --gui

0000294C   0040294C      0   Scripting.FileSystemObject

000029A8   004029A8      0   Wscript.Shell

000029C4   004029C4      0   RegWrite

000029D8   004029D8      0   RegRead

000029E8   004029E8      0   RegDelete

00002A18   00402A18      0   http://192.168.

00002A3C   00402A3C      0   http://172.16.

00002A60   00402A60      0   http://10.

00002A84   00402A84      0   InternetExplorer.Application

00002AC0   00402AC0      0   ToolBar

00002AD0   00402AD0      0   StatusBar

00002AE4   00402AE4      0   Width

00002AF0   00402AF0      0   Height

00002B04   00402B04      0   about:blank

00002B1C   00402B1C      0   navigate

00002B3C   00402B3C      0   Document

00002B50   00402B50      0   Forms

00002B5C   00402B5C      0   elements


File pos   Mem pos      ID   Text

========   =======      ==   ====


00002B88   00402B88      0   Value

00002BB0   00402BB0      0   screenshot

00002BCC   00402BCC      0   sleep

00002BD8   00402BD8      0   Application

00002C00   00402C00      0   RaDa

00002C1C   00402C1C      0   Scan Of The Month 32 (SotM) - September 2004

00002C7C   00402C7C      0   --cgiput

00002C94   00402C94      0   --tmpdir

00002CAC   00402CAC      0

00002D04   00402D04      0   Copyright (C) 2004 Raul Siles & David Perez

00002D60   00402D60      0   <TITLE>RaDa Usage</TITLE>

00002D98   00402D98      0   <pre>

00002DA8   00402DA8      0   </pre>

00002DC4   00402DC4      0   Write

00002DD4   00402DD4      0   --verbose

00002DEC   00402DEC      0   --visible

00002E04   00402E04      0   --server

00002E1C   00402E1C      0   --commands

00002E38   00402E38      0   --cgipath

00002E50   00402E50      0   --cgiget

00002E68   00402E68      0   --cycles

00002E80   00402E80      0   --help

00002E94   00402E94      0   --installdir

00002EB4   00402EB4      0   --noinstall

00002ED0   00402ED0      0   --uninstall

00002EEC   00402EEC      0   --authors

00002F04   00402F04      0   Unknown argument:

00002F30   00402F30      0   <TITLE>RaDa Current Configuration</TITLE>

00002F88   00402F88      0   COMSPEC

00002FAC   00402FAC      0   ---------------------------0123456789012

00003000   00403000      0   AppendChunk

00003018   00403018      0   GetChunk

00003034   00403034      0   Content-Disposition: form-data; name="

00003090   00403090      0   Submit

000030A4   004030A4      0   Submit Form

000030CC   004030CC      0   Content-Type: multipart/form-data; boundary=

00003134   00403134      0   innerText

0000314C   0040314C      0   Error

0000315C   0040315C      0   application/upload

00003188   00403188      0   ADODB.Recordset

000031B0   004031B0      0   Fields

000031C0   004031C0      0   Append

000031D0   004031D0      0   AddNew

000031E8   004031E8      0   Update

000031F8   004031F8      0   Close

00003204   00403204      0   innerHTML

0000321C   0040321C      0   Content-Disposition: form-data; name="{field}";

00003280   00403280      0    filename="{file}"

000032AC   004032AC      0   Content-Type: {ct}

000032D8   004032D8      0   {field}

000032EC   004032EC      0   {file}

00003310   00403310      0   ADODB.Stream

00003338   00403338      0   LoadFromFile

00003364   00403364      0   Upload file using http And multipart/form-data

000033C8   004033C8      0   Copyright (C) 2001 Antonin Foller, PSTRUH Software

00003440   00403440      0   [cscript|wscript] fupload.vbs file url [fieldname]

000034AC   004034AC      0     file ... Local file To upload

000034F8   004034F8      0   winmgmts:\\

00003514   00403514      0   \root\cimv2

00003530   00403530      0     url ... URL which can accept uploaded data

00003590   00403590      0     fieldname ... Name of the source form field.

00003600   00403600      0   This script requires some objects installed To run properly.

0000369C   0040369C      0   Error:

000036BC   004036BC      0   begin

000036FC   004036FC      0   SELECT * FROM Win32_NetworkAdapterConfiguration WHERE IPEnabled = True

0000378C   0040378C      0   ExecQuery

000037A0   004037A0      0   MACAddress

000037BC   004037BC      0   00:0C:29:

000037D4   004037D4      0   00:50:56:

000037EC   004037EC      0   00:05:69:

00003804   00403804      0   Authors: Raul Siles & David Perez, 2004

0000C097   0040C097      0   @*\ASecurity through obscurity is the key.

0000D9AA   0040D9AA      0   VS_VERSION_INFO

0000DA06   0040DA06      0   StringFileInfo

0000DA2A   0040DA2A      0   040904B0

0000DA42   0040DA42      0   CompanyName

0000DA5C   0040DA5C      0   Malware



The complete file is like attachment to this document.


Analyzing this information we can say that binary this developed in Visual MS BASIC 6 since it uses archives MSVBVM60.DLL (Visual Microsoft BASIC 6 virtual machina), in addition that this is made up of a called form Form1 and I modulate Modulo1 call.  Also we have the information of the possible authors of binary (Authors: Raul Siles & David Perez, 2004) and a list of argument used by the same one.


It is possible to emphasize that much information in this file exists which we will use ahead but.


4.1.3.- Determining Binary Protection

After to have analyzed the content of the upset one of ram memory, we have left to see the content of the file to try to detect if she is protected by some tool for this WinHex 11.5 was used, noticing that in the head of the file it did not appear reference to the sections .text and .data, aside from the text “This program is the binary of Soft 32”, that it seemed quite doubtful that a compiler or tool generated east text. Continuing with the analysis, we found Word “JDR”  in offset 0000086, 00000Ç7 and 000003CF, being a this head similar to which program UPX generates (Ultimate for Packer eXecutables), single that in you see of “JDR”  this program generated in its place “UPX”,  like in the first text program is placed “This must be run to under Win32”. Sight this was come to modify texts “JDR” by “UPX” and soon the command executed itself “upx -d rada.exe” as he shows the graph to it.



4.1.4.- Disassembling.


There are unprotected the program and already we have binary the original one, now we are going to use the tool IDA 4.50 to Disassemble the same one.


We will start with the disassembly of the executable obtained so far

List of Names

List of Symbols


4.1.5.- Decompilation / Analysis

Knowing in the application with which the binary one was developed, we used the VBDecompiler tool (VBde.exe), with this the RADA.vbp file was obtained, Form1.frm and the list with the location of the procedures related to the Form1.



Next we have the list of obtained functions:

Function Name  Segment  Start   Length

__vbaChkstk     .text 00401590 00000006 R . . . . . .

DllFunctionCall .text 00401620 00000006 R . . . . . .

ThunRTMain      .text 0040189C 00000006 R . . . . . .

sub_4027BC      .text 004027BC 00000019 R . . . . . .

sub_40280C      .text 0040280C 00000019 R . . . . . .

sub_404A20      .text 00404A20 000000D0 R . . . B . .

sub_404AF0      .text 00404AF0 000000B0 R . . . B . .

sub_404BA0      .text 00404BA0 000001CA R . . . B . .

sub_404D80      .text 00404D80 0000021A R . . . B . .

sub_404FB0      .text 00404FB0 000002FC R . . . B . .

sub_4052C0      .text 004052C0 000007C0 R . . . B . .

sub_405A80      .text 00405A80 000003AF R . . . B . .

sub_405E40      .text 00405E40 000004B0 R . . . B . .

sub_4062F0      .text 004062F0 000003AF R . . . B . .

sub_4066B0      .text 004066B0 00000161 R . . . B . .

sub_406840      .text 00406840 00000BEF R . . . B . .

sub_407470      .text 00407470 0000012A R . . . B . .

sub_4075D0      .text 004075D0 000000E4 R . . . B . .

sub_4076F0      .text 004076F0 000000CB R . . . B . .

sub_4077D0      .text 004077D0 00000102 R . . . B . .

sub_4078F0      .text 004078F0 00000A38 R . . . B . .

sub_408360      .text 00408360 000003E3 R . . . B . .

sub_408780      .text 00408780 0000021B R . . . B . .

sub_4089D0      .text 004089D0 00000135 R . . . B . .

sub_408B40      .text 00408B40 000001F0 R . . . B . .

sub_408D60      .text 00408D60 000002D9 R . . . B . .

sub_409050      .text 00409050 00000193 R . . . B . .

sub_409220      .text 00409220 000002E1 R . . . B . .

sub_409540      .text 00409540 00000DB0 R . . . B . .

sub_40A2F0      .text 0040A2F0 000002CB R . . . B . .

sub_40A5F0      .text 0040A5F0 00000076 R . . . B . .

sub_40A6A0      .text 0040A6A0 00000220 R . . . B . .

sub_40A8C0      .text 0040A8C0 000001E0 R . . . B . .

sub_40AAA0      .text 0040AAA0 0000054E R . . . B . .

sub_40B010      .text 0040B010 0000013F R . . . B . .

sub_40B160      .text 0040B160 00000070 R . . . B . .


to traverse IDA Command “Display Flow Chart of the current function” we can see the calls that exist among them.


4.2.- Analysing Information generate by Binary

With the obtained data of the execution of the binary one in a controlled environment we will describe next the line of time of the execution of the binary one:


1.- Create to files and directory

2.- Create value in Register

3.- Open Key in Register

4.- Query Value in Register

5.- Set Value in Register

6.- Query Key in Register

7.- Files used during the execution

8.- Process Handle

9.- Try Communication with Server


Upload script:
Type LoadFromFile READ \
Upload file using HTTP and multi-part/form DATA
Copyright (C) 2001 Antonin Foller, PSTRUH software
use D [ cscript|wscript ] fupload.vbs file URL [ fieldname ] > file... Local file ton upload
winmgmts: \ \ \root\cimv2
URL... URL which CAN accept uploaded DATA
fieldname... Name OF the SOURCE form field.
This script requires some objects in valley LED ton of run properly.



5.- Answers


1.- Identify and provide an overview of the binary, including the fundamental pieces of information that would help in identifying the same specimen.


The Binary one is a software developed with Microsoft Visual BASIC 6 and is compound of a form (form1.frm), and one module (modulo1.bas). This it does not use any techniques of concealment since when it is executed it is easy to detect because it creates a folder in C drive:  call “RaDa”  with the subfolders “bin”  and “temp”, in first it makes a copy of himself and modifies the key of the registry KLM\SOF….Version\Run\C:\RaDa\bin\RaDa.exe.

In the analysis that was made to him to the dump of RAM memory, one was that the BINARY one uses VBA functions (Visual Basic for Applications), Windows Script and WMI (Windows Management Instrumental) these resources used to download them any program to the infected equipment. The BINARY one at the moment and during its execution makes use of the modules ADVAPI32.DLL, GDI32.DLL, KERNEL32.DLL, MSVBVM60.DLL, MSVCRT.DLL, NTDLL.DLL, OLE32.DLL, OLEAUT32.DLL, RADA.EXE, RPCRT4.DLL y USER32.DLL.

On the other hand, the BINARY one mounts attacks DDOS - SYN_FLOOD  to  address IP 10.x.x.x, 192.168.x.x y 172.16.x.x for all into port 80, also it tries to accede to the direction automatically in repetitive cycles of approximately 100 seconds.

The BINARY one uses the following parameters that can be used in the line of commands:

--period (Period in seconds in which the binary one is connected to the server to the address

--gui (It shows the form with options)


--tmpdir (It config the temporary folder)


--visible (It shows the Internet Explorer when it is being connected)

--server (it is connected to the server to the direction

--commands (It tries to accede to a page in the server



--cycles (This parameter is related to the attack DDOS SYN Flood)

--help (It shows a window of the Internet Explorer with the data of the authors)

--installdir (It makes a copy of the BINARY one in the directory who indicates itself to him)

--noinstall (It executes the binary one but it does not install it)

--uninstall (Uninstall the binary one)

--authors (It shows a Window with the authors of the Binary one)


2.- Identify and explain the purpose of the binary.

The BINARY one has like purpose of opening a backdoor for the remote access to victima through the method “Post binary data” y “ADODB.Stream” from the server On the other hand it makes “DDoS Smurf remote attack” against the address 192.168.x.x, 172.16.x.x y 10.x.x.x


3.- Identify and explain the different features of the binary. What are its capabilities?

Like main capability, the binary one can be executed with parameters formable through the line of the commands.  The features are the following ones:


--period (Period in seconds in which the binary one is connected to the server to the address

--gui (It shows the form with options)


--tmpdir (It config the temporary folder)


--visible (It shows the Internet Explorer when it is being connected)

--server  var (it is configured to the server to the direction var = http://x.x.x.x/Dir/)

--commands var (set RaDa_commands.html and It tries to accede to a page in the server



--cycles var (configured loop)

--help (It shows a window of the Internet Explorer with the data of the authors)

--installdir (It makes a copy of the BINARY one in the directory who indicates itself to him)

--noinstall (It executes the binary one but it does not install it)

--uninstall (Uninstall the binary one)

--authors (It shows a Window with the authors of the Binary one)


4.- Identify and explain the binary communication methods. Develop a Snort signature to detect this type of malware being as generic as possible, so other similar specimens could be detected, but avoiding at the same time a high false positives rate signature.


Communicates with its Server using IP datagrams with the protocol. Communication is connectionless, unauthenticated and unreliable. The protocol used is TCP in port 80.


The Snort signature, is not possible develop.


5.- To identify and to Explain the techniques that it uses the binary one to be protected of the analysis or of inverse engineering.


When analyzing the head of the file one can notice the following observations:


Revising the head of the files generated with UPX (Ultimate Packer for eXecutables) we find some similar chains in size to those that has the BINARY one. We proceeded to substitute the characters UPX for JDR and we execute the application upx.exe-d rada.exe decompressing completely.


It is important to highlight that it is difficult to detect this type of modifications to the files generated with UPX in most of the cases.





6.- Categorize this type of Malware (Virus, worm,…) and justify your reasoning.


The BINARY is a Trojan Horse. Because a Trojan Horse is a malware that performs unexpected or unauthorized, often malicious, actions. The main difference between a Trojan Horse and a virus is the inability to replicate. Trojan Horses cause damage, unexpected system behavior, and compromise the security of systems, but do not replicate. If it replicates himself, then it should be classified as a virus.


A Trojan Horse, coincides from Greek mythology's Trojan horse, typically comes in good packaging but has some hidden malicious intent within its code. When a Trojan is executed users will likely experience unwanted system problems in operation, and sometimes loss of valuable data.


7.- Identify another tool that has demonstrated similar functionality in the past.

Well, I don’t know tool, but yo supongo que hay



8.- Suggest detection and protection methods to fight against the threats introduced by this binary.


When speaking of this type of binary, an proactive strategy goes has to allow to us to avoid that our systems are infected. This is obtained through the configuration of firewall, tools that detect modifications in the nonauthorized registry and Systems of detection of intruders (IDS) able to detect attacks Syn-flood. This is due to complement with policies of use, installation and handling of EXE files.


It is very important to count on policies of update of software since much of these tools uses known failures to be able to harm the systems.


Bonus Question:

Well, this BINARY one has a command argument --authors.  Through this argument it shows a form with the names of the developers.  The commands to execute go to Start / Run /

C:\RaDa\Bin\Rada --authors.





In a next future, we will be able to be with tools of this type able to use techniques concealment outposts that allow the binary one to avoid to be detected easily, in addition to the use of complex methods but of protection that avoid the analysis through reverse engineer.


It is important to emphasize that also other components related to the binary one will be had which made functions you specify for the operation and subsistence of the binary one within the infected system, taking like techniques the steganografics and the binary morphology (Change of Signature)




The binary is the agent half of a distributed denial of service attack tool. The following are notable points discussed in the analysis.


ü      Written and compiled in the MS Visual Basic 6 language on a Windows.

ü      The binary one was protected with UPX and modified to avoid that it was possible to be decompile and to be analyzed applying reverse engineer.

ü      Communicates with its handler using IP datagrams with the protocol. Communication is connectionless, unauthenticated and unreliable.

ü      Can perform syn flood on address 10.x.x.x, 192.168.x.x and 172.16.x.x.

ü      It executes scripts to lower and to raise archives the infected computer.




Note: Sorry, my English is very bad. ;-)