Lab 20-2 Solutions
Short Answers
The most interesting strings are
ftp.practicalmalwareanalysis.com
andHome ftp client
, which indicate that this program may be FTP client software.The imports
FindFirstFile
andFindNextFile
indicate that the program probably searches through the victim’s filesystem. The importsInternetOpen
,InternetConnect
,FtpSetCurrentDirectory
, andFtpPutFile
tell us that this malware may upload files from the victim machine to a remote FTP server.The object created at 0x004011D9 represents a .doc file. It has one virtual function at offset 0x00401440, which uploads the file to a remote FTP server.
The virtual function call at 0x00401349 will call one of the virtual functions at 0x00401380, 0x00401440, or 0x00401370.
This malware ...
Get Practical Malware Analysis now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.