Practical Malware Analysis : Lab 5-1 (TBC)

Tools used:

  • IDA Pro Free


1. What is the address of DllMain?


2. Use the Imports window to browse to gethostbyname. Where is the import located?


3.How many functions call gethostbyname?

9 times with 5 different sub routines.

4. Focusing on the call to gethostbyname located at 0x10001757, can you figure out which DNS request will be made?

5.How many local variables has IDA Pro recognized for the subroutine at 0x10001656?

6. How many parameters has IDA Pro recognized for the subroutine at 0x10001656?

arg_0 can be found . 1 parameter.

7. Use the Strings window to locate the string \cmd.exe /c in the disassembly. Where is it located?


8.What is happening in the area of code that references \cmd.exe /c?

Viewing the function in graph form we can follow the different entries.

This area of code seems to be a Remote Shell Session.

9.In the same area, at 0x100101C8, it looks like dword_1008E5C4 is a global variable that helps decide which path to take. How does the malware set dword_1008E5C4? (Hint: Use dword_1008E5C4’s cross-references.)

The function before dword_1008E5C4
This function uses the dwPlatformId and compares it to the number 2.

The malware will check the version of the operating system and decides on the path.

10.A few hundred lines into the subroutine at 0x1000FF58, a series of comparisons use memcmp to compare strings. What happens if the string comparison to robotwork is successful (when memcmp returns 0)?

The registry values are queried and sent over the remote shell.

11.What does the export PSLIST do?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: