Lab 15-3 Solutions
The malicious code is initially called by overwriting the return pointer from the
The malicious code downloads a file from a URL and launches it with
The URL used by the program is http://www.practicalmalwareanalysis.com/tt.html.
The filename used by the program is spoolsrv.exe.
Quickly examining this binary, it initially seems to be a process-listing tool. You might have
also noticed a few suspicious imports, such as
WinExec. If you scrolled near the bottom of the code in IDA Pro, just before the C runtime library code, you may have even noticed where these suspicious functions are called. This code does not seem to be a part of the program at all. There ...