PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-01)

Tools Used:

  1. IDA Pro

Sample:

  1. Lab06-01.exe SHA256: fe30f280b1d0a5e9cef3324c2e8677f55a6202599d489170ece125f3cd843a03

VirusTotal:

  • Detection Rate: 1/55
  • Analyzed on 28 Feb 2016
  • Compilation Date: 2011-01-31 22:15:14
  • View report here

Lab 6-1
In this lab, you will analyze the malware found in the file Lab06-01.exe.
Questions
1. What is the major code construct found in the only subroutine called
by main?

The only subroutine called by main is sub_40100.

 

sub_401000
Figure 1 Flow Graph of sub_401000

From the above figure, there is just 2 code path. The path is selected based on the result from InternetGetConnectedState function. According to msdn, the function returns TRUE if there is an active modem or a LAN Internet connection, or FALSE if there is no Internet connection, or if all possible Internet connections are not currently active.

 

2. What is the subroutine located at 0x40105F?

A Sting is pushed into the function @ 0x40105F. Stepping Over 0x40105F, the string argument is printed in the console. If we were to step into this function… it is actually quite a journey down. For now I would guess it is a subroutine that prints a message on the console.

3. What is the purpose of this program?

Check for internet connection and print out a message to indicate if there is any internet connection.

Advertisements
PRACTICAL MALWARE ANALYSIS: RECOGNIZING C CODE CONSTRUCTS IN ASSEMBLY (LAB 6-01)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s