Practical Malware Analysis : Lab 1-1

Tools used:

  • PEview
  • PEiD
  • Dependency Walker
  • Malcode Analyst Pack


  1. Upload the files to and view the reports. Does either file match any existing antivirus signatures?

2. When were these files compiled?


3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

None of these files were packed or obfuscated as the programming language can be seen with PEiD.




4. Do any imports hint at what this malware does? If so, which imports are they?

Dependency Walker



Matching the functions to the Ordinal number the following were found:

  • closesocket
  • connect
  • htons
  • inet_addr
  • recv
  • send
  • shutdown
  • socket
  • WSAStartup
  • WSACleanup

5. Are there any other files or host-based indicators that you could look for on infected systems?


1 is disguised as l

6. What network-based indicators could be used to find this malware on infected machines?

Lab01-01.dll contains an ip address that one could monitor network interaction amongst other hosts.

7. What would you guess is the purpose of these files?

Lab01-01.exe is used to install the malware and Lab01-01.dll is used to connect back to

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s