Post

Malware Analysis Report: Sample 2 (UPX-Packed C2 Beacon)

Posted Updated
By Luis Rojas
4 min read
Malware Analysis Report: Sample 2 (UPX-Packed C2 Beacon)

Sample 2 (UPX-Packed C2 Beacon)

Cyber Security Incident Response Team: Luis G. Rojas Ortiz
Date: 4/28/2026

The following analysis was conducted as part of a structured malware analysis exercise. Sample artifacts were provided as part of a simulated incident response scenario.

Executive Summary

Static analysis of Sample 2 was limited due to UPX packing with tampered headers, which prevented successful automated unpacking and obscured key characteristics of the binary. Despite this, behavioral analysis revealed that the sample exhibits network beaconing activity consistent with other samples in the same campaign (e.g., Sample 1 and Lab03).

Dynamic analysis confirmed outbound HTTP communication to known domains and registry modifications related to Internet Settings. Overall, the malware appears to function as a lightweight command-and-control (C2) beacon that relies on runtime obfuscation techniques to evade detection.

Case Details

FieldValue
Date4/28/2026
AnalystLuis G. Rojas Ortiz

File Information

FieldValue
File nameSample 2.exe
File size14336 bytes
File typeApplication/Executable (.exe)
MD56C2A33512B8B0EC906982783E82B9678
SHA1ABE778CA6D429DD7CD21AB2FBD226F421390050D
SHA256212B29A8E36CCC8F65205122E33D84940A156A9A91329F747A713F988A157948
Packer / CompilerUPX (tampered headers)
Compile timeWed Nov 09 00:03:23 2011

Case Specific Requirements

Malware analysis was initiated after suspicious process activity was detected on a Windows endpoint during routine monitoring. The sample was recovered from a quarantined host flagged by antivirus. The sample is linked to the same malware campaign as Sample 1 and Lab03. It uses similar command-and-control (C2) infrastructure, beaconing behavior, and registry interactions. Although the malware is UPX packed and includes anti-analysis modifications, its network communication patterns remain consistent with previously observed samples, indicating reuse of attacker tooling with minor obfuscation changes.

Analysis

The malware functions as an HTTP-based beacon that communicates with a remote command-and-control (C2) server. It dynamically resolves API functions through LoadLibrary and GetProcAddress, constructs URLs at runtime, and uses WinINet APIs such as InternetOpenA to establish outbound network connections. The sample also modifies HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\*, indicating attempts to alter Internet security settings or influence network communication behavior.

Indicators of Compromise (IOCs):

  • Domains: canonicalizer.ucsuri.tcs, www.practicalmalwareanalysis.com
  • Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\*
  • File: Sample 2.exe
  • Behavioral: Dynamic API resolution (LoadLibrary, GetProcAddress), WinINet usage (InternetOpenA), UPX packing with modified headers

Persistence: No persistence mechanisms were identified. The malware does not create run keys, services, or scheduled tasks and appears to rely solely on user execution.

CVE / Vulnerability: No software vulnerability or CVE was observed. The malware requires user execution rather than exploiting a specific application or service.

Static Analysis: Static analysis was significantly limited by UPX packing with tampered headers, which prevented automated unpacking via standard tooling and obscured the true import table and string contents. Detect It Easy identified the packer signature as UPX, and entropy analysis confirmed this with an overall score of 7.50 bits/byte at 93% packed, consistent with compressed or encrypted content. The binary presents only six visible imports: LoadLibraryA, GetProcAddress, VirtualProtect, VirtualAlloc, VirtualFree, and ExitProcess from kernel32.dll, alongside InternetOpenA from wininet.dll and a single ws2_32.dll function loaded by ordinal rather than name — a deliberate obfuscation technique. The LoadLibrary and GetProcAddress combination indicates the malware resolves its true API calls at runtime, hiding its full capability from static analysis. The string http://%s suggests dynamic URL construction at runtime. Structural anomalies include a custom section named LOL0, an entry point located outside the first section, and a writable first section — all consistent with a modified UPX stub designed to resist analysis tools.

Remediation

  1. Isolate the affected host immediately to prevent further C2 communication to canonicalizer.ucsuri.tcs and practicalmalwareanalysis.com.
  2. Block associated domains at the perimeter firewall and proxy. Note: canonicalizer.ucsuri.tcs is shared across all three analyzed samples — a single block disrupts the broader campaign.
  3. Remove Sample 2.exe from disk and scan for additional copies using the provided file hashes.
  4. Inspect and restore modified Internet Settings ZoneMap registry keys to their default values.
  5. Review network logs for outbound HTTP beaconing activity and investigate additional hosts exhibiting similar communication patterns.

Additional Information / Examiner Notes

PE header analysis suggests DEP/ASLR may not be enabled, though results may be unreliable due to packing and header tampering. Observed repeated modifications to ZoneMap-related registry keys suggest potential manipulation of browser security zones or proxy handling, possibly to facilitate outbound communication or evade network restrictions. High entropy (7.622) supports the presence of packing/obfuscation. Custom section name observed: LOL0. Entry point located outside the first section, indicating abnormal structure. The similarities between this sample and previously analyzed malware suggest a shared campaign or toolkit. Further analysis, including manual unpacking or debugging, may reveal additional capabilities that were not observable during this analysis.

Network Indicators

  • canonicalizer.ucsuri.tcs
  • www.practicalmalwareanalysis.com

File Indicators

HashValue
MD56C2A33512B8B0EC906982783E82B9678
SHA1ABE778CA6D429DD7CD21AB2FBD226F421390050D
SHA256212B29A8E36CCC8F65205122E33D84940A156A9A91329F747A713F988A157948

Registry Indicators

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass
  • HKCU\...\ZoneMap\IntranetName
  • HKCU\...\ZoneMap\UNCAsIntranet
  • HKCU\...\ZoneMap\AutoDetect

Behavioral Indicators

  • UPX packed with tampered headers
  • Dynamic API resolution at runtime
  • Outbound HTTP beaconing on execution

Attachments

Figure 1: FakeNet-NG captured DNS resolution requests

Figure 1: FakeNet-NG captured DNS resolution requests for canonicalizer.ucsuri.tcs and www.practicalmalwareanalysis.com on execution, confirming active C2 beaconing behavior. fs.microsoft.com is attributed to Windows background activity and is not considered a malware IOC.

Figure 2: Procmon RegSetValue operations

Figure 2: Procmon captured RegSetValue operations by Sample 2.exe modifying Internet Settings ZoneMap keys, consistent with behavior observed across all three samples in this campaign.

Figure 3: Entropy analysis from Detect It Easy

Figure 3: Entropy analysis from Detect It Easy showing an overall score of 7.50 bits/byte at 93% packed. Section LOL1 entropy of 7.81 confirms the primary packed payload. The drop in Section 2 (.rsrc) at 2.63 is consistent with uncompressed resource data.

Malware Analysis
malware-analysis reverse-engineering static-analysis dynamic-analysis windows c2 upx packing pestudio fakenet procmon detect-it-easy
This post is licensed under CC BY 4.0 by the author.