- IDA Pro
- Lab07-02.exe SHA256: bdf941defbc52b03de3485a5eb1c97e64f5ac0f54325e8cb668c994d3d8c9c90
- Detection Rate: 22/54
- Analyzed on 2016-03-03
Compilation Date: 2010-12-19 16:18:04
- View report here
Analyze the malware found in the file Lab07-02.exe.
1. How does this program achieve persistence?
No persistence code is found in the malware.
2. What is the purpose of this program?
You may wish to refer to Lab01-03 for dynamic analysis on COM.
A call to CoCreateInstance was made. We can see that the rclsid is targeted to “2DF01-0000-0000-C000-000000000046”. In registry this value refers to Internet Explorer.
The riid value is set to be “D30C1661-CDAF-11D0-8A3E-00C04FC9E26” which infers to IWebBrowser2 in the registry.
Tracing down the opcodes, we will see that a call was made with offset 2Ch, in Lab 01-03 I have explained how to derive what 2Ch offset represent. It is a Navigate function call. In short on execution, a browser will pop up with the URL “http://www.malwareanalysisbook.com/ad.html”being opened.
3. When will this program finish executing?
Once the browser pops up and display the website, the program terminates.