Lab 11-1 Solutions
The malware extracts and drops the file msgina32.dll onto disk from a resource section named
The malware installs msgina32.dll as a GINA DLL by adding it to the registry location
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL, which causes the DLL to be loaded after system reboot.
The malware steals user credentials by performing GINA interception. The msgina32.dll file is able to intercept all user credentials submitted to the system for authentication.
The malware logs stolen credentials to %SystemRoot%\System32\msutil32.sys. The username, domain, and password are logged to the file with a timestamp.
Once the malware is dropped and installed, there must be a system reboot for the GINA interception ...