Lab 19-2 Solutions

Short Answers

  1. The program process-injects the default web browser, Internet Explorer.

  2. The shellcode buffer is located at 0x407030.

  3. The shellcode is XOR’ed with the byte 0xe7.

  4. The shellcode manually imports the following functions:

    • LoadLibraryA

    • CreateProcessA

    • TerminateProcess

    • GetCurrentProcess

    • WSAStartup

    • WSASocketA

    • connect

  5. The shellcode connects to IP 192.168.200.2 on TCP port 13330.

  6. The shellcode provides a remote shell (cmd.exe).

Detailed Analysis

The malware starts by determining the default web browser by reading the registry value HKCR\http\shell\open\command. The browser is created as a new process whose StartupInfo.wShowWindow value is set to SW_HIDE, so the process is hidden from the user interface. Process-injecting the default web ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial