Lab 11-1 Solutions
Short Answers
The malware extracts and drops the file msgina32.dll onto disk from a resource section named
TGAD
.The malware installs msgina32.dll as a GINA DLL by adding it to the registry location
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GinaDLL
, which causes the DLL to be loaded after system reboot.The malware steals user credentials by performing GINA interception. The msgina32.dll file is able to intercept all user credentials submitted to the system for authentication.
The malware logs stolen credentials to %SystemRoot%\System32\msutil32.sys. The username, domain, and password are logged to the file with a timestamp.
Once the malware is dropped and installed, there must be a system reboot for the GINA interception ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.