Skip to content

Latest commit

 

History

History
41 lines (21 loc) · 1.15 KB

lab-06-4.md

File metadata and controls

41 lines (21 loc) · 1.15 KB
Raw

This post is part of the series of Practical Malware Analysis Exercises.

1) What is the difference between main calls in 6-3 and 6-4?

Parsing/processing commands, and sleeping, are contained within the loop.

2) What new code construct in main?

A for loop with 1440 iterations.

3) Difference between this HTML parse function, and previous?

Sends UserAgent with pma%d instead of pma

%d is the duration of the program run.

4) How long will the program run, when connected?

(1440 iterations) * (60s sleep) = 1440 minutes = 24 hours = 1 day.

5) Network based indicators?

  1. URL: http://www.practicalmalwareanalysis.com/cc.htm
  2. User agent: Internet Explorer 7.50/pma + numerical wildcard

6) Purpose of the malware?

Setting the registry key enables persistence. Will run for 24 hours after each boot, transmitting uptime and fetching commands each minute.

  1. Malware identifies itself to server via UserAgent string.
  2. Malware gets 1 byte (a-e) command from cc.htm page via HTML comment.
  3. Based on command, copy self to cc.exe, install, delete, or sleep.
  4. Will run for 24 hours.