Lab 9-2 Solutions

Short Answers

  1. The imports and the string cmd are the only interesting strings that appear statically in the binary.

  2. It terminates without doing much.

  3. Rename the file ocl.exe before you run it.

  4. A string is being built on the stack, which is used by attackers to obfuscate strings from simple strings utilities and basic static analysis techniques.

  5. The string 1qaz2wsx3edc and a pointer to a buffer of data are passed to subroutine 0x401089.

  6. The malware uses the domain practicalmalwareanalysis.com.

  7. The malware will XOR the encoded DNS name with the string 1qaz2wsx3edc to decode the domain name.

  8. The malware is setting the stdout, stderr, and stdin handles (used in the STARTUPINFO structure of CreateProcessA) to the socket. Since CreateProcessA ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial