Lab 11-3 Solutions
Short Answers
Lab11-03.exe contains the strings
inet_epar32.dll
andnet start cisvc
, which means that it probably starts the CiSvc indexing service. Lab11-03.dll contains the stringC:\WINDOWS\System32\kernel64x.dll
and imports the API callsGetAsyncKeyState
andGetForegroundWindow
, which makes us suspect it is a keylogger that logs to kernel64x.dll.The malware starts by copying Lab11-03.dll to inet_epar32.dll in the Windows system directory. The malware writes data to cisvc.exe and starts the indexing service. The malware also appears to write keystrokes to C:\Windows\System32\kernel64x.dll.
The malware persistently installs Lab11-03.dll by trojanizing the indexing service by entry-point redirection. It redirects the entry point ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.