Tools used:
- VirusTotal.com
- PEview
- PEiD
- UPX
- Dependency Walker
- Malcode Analyst Pack
Questions
1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
The file is packed by UPX
It can also be seen in PEview.
Use UPX to unpack the file.
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
ADVAPI32.DLL
WININET.DLL
Use strings
The malware:
- Creates a service
- MalService could be the service created
- Connects to the internet via the URL
- http://www.malwareanalysisbook.com
4. What host- or network-based indicators could be used to identify this malware on infected machines?
Check if the hosts or network has interacted with http://www.malwareanalysisbook.com
Persecure : my learning archive 