- IDA Pro
- Lab06-04.exe SHA256: cce96e5cb884c565c75960c41f53a7b56cef1a3ff5b9893cd81c390fd0c35ef3
- Detection Rate: 18/54
- Analyzed on 2016-02-29
Compilation Date: 2011-02-04 00:38:24
- View report here
In this lab, we’ll analyze the malware found in the file Lab06-04.exe.
1. What is the difference between the calls made from the main method in
Labs 6-3 and 6-4?
|Lab 6-3||Lab 6-4|
2. What new code construct has been added to main?
We can see a for loop from the image above.
3. What is the difference between this lab’s parse HTML function and
those of the previous labs?
sprintf is called, adding a number to the back of the user agent string.
4. How long will this program run? (Assume that it is connected to the
Referring to Figure 1, we can see that it loops for 1440 times with sleep function called per loop. The sleep function sleeps for 60 seconds. Thus the loop will loop for 1440 minutes which is 24 hours.
5. Are there any new network-based indicators for this malware?
User Agent: Internet Explorer 7.5/pma[0-1439]
6. What is the purpose of this malware?
The malware first checks for internet connection and if there is an internet connection, it will then attempts to download from http://www.practicalmalwareanalysis.com/cc.htm using an user agent known as Internet Explorer 7.5/pma[0-1439]. The number behind the user agent is the loop count index. The C2 server will know how long the malware has been executed since per increment of the count index equates to 1 min. It will then parse the downloaded page and check if it begins with <!- -. If it does, the next character is parsed as the command and it executes predefined tasks such as directory creation, copy self to temp folder, deletion of the malware, adding registry key to ensure persistency and sleep for 100 seconds.