Lab 15-2 Solutions

Short Answers

The URL initially requested is http://www.practicalmalwareanalysis.com/bamboo.html.
The User-Agent string is generated by adding 1 to each letter and number in the hostname (Z and 9 are rotated to A and 0).
The program looks for the string Bamboo:: in the page it requested.
The program searches beyond the Bamboo:: string to find an additional ::, which it converts to a NULL terminator. The string in between Bamboo and the terminator is downloaded to a file named Account Summary.xls.exe and executed.

Detailed Analysis

Open the binary with IDA Pro and scroll to the main function at offset 0x00401000. We will begin with disarming this function by reading it top to bottom, fixing each countermeasure until we reach the logical ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Lab 15-2 Solutions

Short Answers

Detailed Analysis

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly