Lab 17-3 Solutions

Short Answers

  1. The malware immediately terminates inside a VM, unlike Lab 12-2 Solutions, which performs process replacement on svchost.exe.

  2. If you force the jumps at 0x4019A1, 0x4019C0, and 0x401467 to be taken, and the jump at 0x401A2F to not be taken, the malware performs process replacement using a keylogger from its resource section.

  3. The malware uses four different anti-VM techniques:

    • It uses the backdoor I/O communication port.

    • It searches the registry key SYSTEM\CurrentControlSet\Control\DeviceClasses for the string vmware.

    • It checks the MAC address to see if it is the default used by VMware.

    • It searches the process list with a string-hashing function for processes starting with the string vmware.

  4. To avoid the anti-VM techniques ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial