Tools Used

  1. IDA Pro
  2. ollydbg


  1. Lab09-02.exe SHA256: f153dfacec09dd69809c3bbf68270a38ee3701f44220c7bf181c14a68c138133


  • Detection Rate: 17/54
  • Analyzed on 2016-03-05
  • Compilation Date: 2011-04-30 16:41:06
  • View report here

Lab 9-2
Analyze the malware found in the file Lab09-02.exe using OllyDbg to answer
the following questions.
1. What strings do you see statically in the binary?

Figure 1. Strings

Nothing useful…

2. What happens when you run this binary?

The program just terminates without doing anything.

3. How can you get this sample to run its malicious payload?

Figure 1. ocl.exe

From the above flow graph in main function, we can see that the binary retrieves its own executable name via GetModuleFileNameA. It then strip the path using _strrchr. The malware then compares the filename with “ocl.exe”. It it doesn’t match, the malware will terminates. Therefore to run the malware we must name it as “ocl.exe”.

4. What is happening at 0x00401133?

Figure 2. some passphrase?

We can see in the opcode that a string is formed character by character. The string is “1qaz2wsx3edc”. The way the author created  the string prevented IDA Pro from displaying it as a normal string.

5. What arguments are being passed to subroutine 0x00401089?

Figure 3. GetHostName

From the above ollydbg image, we can see that the string “1qaz2wsx3edc” is passed in to the subroutine 0x00401089. An unknown pointer (0x0012FD90) is also passed in.

Figure 4. XOR decoding

Stepping into the subroutine, you will realize that the malware is trying to decode a string(0x0012FD90) with the xor key (1qaz2wsx3edc). As shown above, we can start to see the decoded string taking shape.

6. What domain name does this malware use?

Figure 5. Domain Decoded

7. What encoding routine is being used to obfuscate the domain name?

As mentioned in question 5, XOR is used to obfuscate the domain name.

8. What is the significance of the CreateProcessA call at 0x0040106E?

Figure 6. connecting to

The first block shows that we get the decoded domain name and get the ip by using gethostbyname . In the second block, we can see that it is trying to connect to the derived ip at port 9999.  In the third block, we can see that socket s is passed into the CommandExecution subroutine as last argument.

Figure 7. passing io to socket

From the above figure, we can see that the StartupInfo’s hStdInput, hStdOutput, hStdError now points to the socket s. In other words, all input and output that we see in cmd.exe console will now be transmitted over the network. The CreateProcessA call for cmd.exe and is hidden via wShowWindow flag set to SW_HIDE(0). What it all meant was that a reverse shell is spawned to receive commands from the attacker’s server.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s