Lab 9-2 Solutions
Short Answers
The imports and the string
cmd
are the only interesting strings that appear statically in the binary.It terminates without doing much.
Rename the file ocl.exe before you run it.
A string is being built on the stack, which is used by attackers to obfuscate strings from simple strings utilities and basic static analysis techniques.
The string
1qaz2wsx3edc
and a pointer to a buffer of data are passed to subroutine 0x401089.The malware uses the domain practicalmalwareanalysis.com.
The malware will XOR the encoded DNS name with the string
1qaz2wsx3edc
to decode the domain name.The malware is setting the
stdout
,stderr
, andstdin
handles (used in theSTARTUPINFO
structure ofCreateProcessA
) to the socket. SinceCreateProcessA ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.