- IDA Pro
- Lab06-02.exe SHA256: b71777edbf21167c96d20ff803cbcb25d24b94b3652db2f286dcd6efd3d8416a
- Detection Rate: 20/55
- Analyzed on 28 Feb 2016
Compilation Date: 2011-02-02 21:29:05
- View report here
Analyze the malware found in the file Lab06-02.exe.
1. What operation does the first subroutine called by main perform?
The first subroutine called is at address 0x0401000. It checks for internet connection via InternetGetConnectedState function.It returns eax 1 if there is internet connection and eax 0 if there is none.
2. What is the subroutine located at 0x40117F?
3. What does the second subroutine called by main do?
If the first subroutine returns 1, the second subroutine (0x401040) will be called.
In the function “http://www.practicalmalwareanalysis.com/cc.htm”is called via InternetOpenURLA. It will then read the file from the url and match if the first 4 characters are “<!–“. If yes a command existed else a message stating that it fails to get command will be printed.
4. What type of code construct is used in this subroutine?
512 bytes is read from “http://www.practicalmalwareanalysis.com/cc.htm”. The first four bytes is matched against <!- -; html comment tag. The next byte is the command.
5. Are there any network-based indicators for this program?
User Agent: Internet Explorer 7.5/pma
6. What is the purpose of this malware?
The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma. It will parse the downloaded page and check if it begins with <!- -. If it does the next character is parsed as the command and printed in the console. It will then sleep for 60 seconds and terminates.