Lab 15-2 Solutions

Short Answers

  1. The URL initially requested is http://www.practicalmalwareanalysis.com/bamboo.html.

  2. The User-Agent string is generated by adding 1 to each letter and number in the hostname (Z and 9 are rotated to A and 0).

  3. The program looks for the string Bamboo:: in the page it requested.

  4. The program searches beyond the Bamboo:: string to find an additional ::, which it converts to a NULL terminator. The string in between Bamboo and the terminator is downloaded to a file named Account Summary.xls.exe and executed.

Detailed Analysis

Open the binary with IDA Pro and scroll to the main function at offset 0x00401000. We will begin with disarming this function by reading it top to bottom, fixing each countermeasure until we reach the logical ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.