Lab 12-2 Solutions

Short Answers

  1. The purpose of this program is to covertly launch another program.

  2. The program uses process replacement to hide execution.

  3. The malicious payload is stored in the program’s resource section. The resource has type UNICODE and the name LOCALIZATION.

  4. The malicious payload stored in the program’s resource section is XOR-encoded. This decode routine can be found at sub_40132C. The XOR byte is found at 0x0040141B.

  5. The strings are XOR-encoded using the function at sub_401000.

Detailed Analysis

Since we’ve already analyzed this binary in the labs for Chapter 3, let’s begin by opening the file with IDA Pro and looking at the function imports. Many functions in the list provide little information because they are commonly imported ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.