Lab 15-3 Solutions

Short Answers

The malicious code is initially called by overwriting the return pointer from the main function.
The malicious code downloads a file from a URL and launches it with WinExec.
The URL used by the program is http://www.practicalmalwareanalysis.com/tt.html.
The filename used by the program is spoolsrv.exe.

Detailed Analysis

Quickly examining this binary, it initially seems to be a process-listing tool. You might have also noticed a few suspicious imports, such as URLDownloadToFile and WinExec. If you scrolled near the bottom of the code in IDA Pro, just before the C runtime library code, you may have even noticed where these suspicious functions are called. This code does not seem to be a part of the program at all. There ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Lab 15-3 Solutions

Short Answers

Detailed Analysis

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly