Lab 5-1 Solutions
DllMainis found at 0x1000D02E in the
The import for
gethostbynameis found at 0x100163CC in the
gethostbynameimport is called nine times by five different functions throughout the malware.
A DNS request for
pics.practicalmalwareanalysis.comwill be made by the malware if the call to
gethostbynameat 0x10001757 succeeds.
IDA Pro has recognized 23 local variables for the function at 0x10001656.
IDA Pro has recognized one parameter for the function at 0x10001656.
\cmd.exe /cis located at 0x10095B34.
That area of code appears to be creating a remote shell session for the attacker.
The OS version is stored in the global variable
The registry values located at