Lab 5-1 Solutions

Short Answers

  1. DllMain is found at 0x1000D02E in the .text section.

  2. The import for gethostbyname is found at 0x100163CC in the .idata section.

  3. The gethostbyname import is called nine times by five different functions throughout the malware.

  4. A DNS request for pics.practicalmalwareanalysis.com will be made by the malware if the call to gethostbyname at 0x10001757 succeeds.

  5. IDA Pro has recognized 23 local variables for the function at 0x10001656.

  6. IDA Pro has recognized one parameter for the function at 0x10001656.

  7. The string \cmd.exe /c is located at 0x10095B34.

  8. That area of code appears to be creating a remote shell session for the attacker.

  9. The OS version is stored in the global variable dword_1008E5C4.

  10. The registry values located at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WorkTime ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.