Lab 3-1 Solutions
The malware appears to be packed. The only import is
ExitProcess, although the strings appear to be mostly clear and not obfuscated.
The malware creates a mutex named
WinVMX32, copies itself into C:\Windows\System32\vmx32to64.exe. and installs itself to run on system startup by creating the registry key
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriverset to the copy location.
The malware beacons a consistently sized 256-byte packet containing seemingly random data after resolving www.practicalmalwareanalysis.com.
We begin with basic static analysis techniques, by looking at the malware’s PE file structure and strings. Figure C-1 shows that only kernel32.dll is imported.
Figure C-1. PEview ...