- IDA Pro
- Proc Mon
- Lab03-04.exe SHA256: 6ac06dfa543dca43327d55a61d0aaed25f3c90cce791e0555e3e306d47107859
- Detection Rate: 22/54
- Analyzed on 30 Jan 2016
Compilation Date: 2011-10-18 18:46:44
- View report here
Analyze the malware found in the file Lab03-04.exe using basic dynamic analysis tools. (This program is analyzed further in the Chapter 9 labs.)
1. What happens when you run this file?
Lab03-04.exe got deleted via cmd.exe del command!
if we use IDA Pro to trace the cmd.exe /c del string we would find this function call.
2. What is causing the roadblock in dynamic analysis?
There are 7 scenarios that will cause self delete function to be called. We need to reverse the codes to see what is causing it to self delete. Some malwares detect for things like checking if the current OS is a VM, checking if debugger is attach, checking if AV is running, checking if an argument is passed in etc.
3. Are there other ways to run this program?
There are several ways to run this program
- One way of doing it is running it in ollydbg. Break before delself is called and change the process flow.
- Patch the program to change jz opcode to jnz etc
- reverse the program and figure out the exact cause
However we might still need to figure out the exact cause of why the program fails to run in order for us to execute it correctly. Simple patching might not work.