Lab 15-3 Solutions

Short Answers

  1. The malicious code is initially called by overwriting the return pointer from the main function.

  2. The malicious code downloads a file from a URL and launches it with WinExec.

  3. The URL used by the program is http://www.practicalmalwareanalysis.com/tt.html.

  4. The filename used by the program is spoolsrv.exe.

Detailed Analysis

Quickly examining this binary, it initially seems to be a process-listing tool. You might have also noticed a few suspicious imports, such as URLDownloadToFile and WinExec. If you scrolled near the bottom of the code in IDA Pro, just before the C runtime library code, you may have even noticed where these suspicious functions are called. This code does not seem to be a part of the program at all. There ...

Get Practical Malware Analysis now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.