Skip to content

Latest commit

 

History

History
51 lines (29 loc) · 1.4 KB

lab-06-3.md

File metadata and controls

51 lines (29 loc) · 1.4 KB
Raw

This post is part of the series of Practical Malware Analysis Exercises.

1) Compare main() from lab 2 to this main(). What is the new function call?

sub_401130

2) What parameters does the new function take?

  1. Character string containing the command (parsed from HTML).
  2. Character string containing Existing Filename (argv[0]).

3) What major code construct does this function contain?

Switch with 5 cases that checks the command, implemented as a jump table.

4) What can this function do?

Carries out the command, installing the malware.

  • Case 0: Make the directory C:\Temp
  • Case 1: Copy self (argv[0]) binary to malware path.
  • Case 2: Delete the malware.
  • Case 3: Tries to set reg value Malware : C:\\Temp\\cc.exe in the CurrentVersion\Run registry key.
  • Case 4: Sleep for 100 seconds.
  • Default: Print error message, bad command.

5) Host based indicators?

  1. File: C:\Temp\cc.exe
  2. Registry key: CurrentVersion\Run\Malware : C:\Temp\cc.exe

6) Purpose of the malware?

Administer a malware infection. Provide updates/persistence.

Checks for an internet connection, gets a remote command, and executes it. Command is lower case letter: a, b, c, d, e.

Based on that command, it can:

  • Install the malware to run at boot.
  • Copy a new version of the malware.
  • Delete the malware.