Lab 3-1 Solutions
Short Answers
The malware appears to be packed. The only import is
ExitProcess
, although the strings appear to be mostly clear and not obfuscated.The malware creates a mutex named
WinVMX32
, copies itself into C:\Windows\System32\vmx32to64.exe. and installs itself to run on system startup by creating the registry keyHKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver
set to the copy location.The malware beacons a consistently sized 256-byte packet containing seemingly random data after resolving www.practicalmalwareanalysis.com.
Detailed Analysis
We begin with basic static analysis techniques, by looking at the malware’s PE file structure and strings. Figure C-1 shows that only kernel32.dll is imported.
Figure C-1. PEview ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.