Tools used:
- VirusTotal.com
- PEview
- PEiD
- Dependency Walker
- Malcode Analyst Pack
Questions
- Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures?
2. When were these files compiled?
PEview
3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
None of these files were packed or obfuscated as the programming language can be seen with PEiD.
PEiD
Lab01-01.exe
Lab01-01.dll
4. Do any imports hint at what this malware does? If so, which imports are they?
Dependency Walker
Lab01-01.exe
Lab01-01.dll
Matching the functions to the Ordinal number the following were found:
- closesocket
- connect
- htons
- inet_addr
- recv
- send
- shutdown
- socket
- WSAStartup
- WSACleanup
5. Are there any other files or host-based indicators that you could look for on infected systems?
Strings
6. What network-based indicators could be used to find this malware on infected machines?
7. What would you guess is the purpose of these files?
Lab01-01.exe is used to install the malware and Lab01-01.dll is used to connect back to 127.26.152.13.
Persecure : my learning archive 