- IDA Pro
- Process Monitor
- Cerbero Profiler
- Lab12-02.exe SHA256: ae8a1c7eb64c42ea2a04f97523ebf0844c27029eb040d910048b680f884b9dce
- Detection Rate: 43/56
- Analyzed on 2016-03-12
Compilation Date: 2011-04-08 17:54:23
- View report here
Analyze the malware found in the file Lab12-02.exe.
1. What is the purpose of this program?
Based on dynamic analysis results using procmon and process explorer, we can conclude that this is a keylogger that performs process hollowing on svchost.exe.
2. How does the launcher program hide execution?
The subroutine @0x004010EA is highly suspicious. It is trying to create a process in suspended state, calls UnmapViewOfSection to unmap the original code and tries to write process memory in it. Finally it resumes the process. This is a recipe for process hollowing technique in which the running process will look like svchost.exe (in this case) but it is actually running something else instead.
3. Where is the malicious payload stored?
In the resource, we can see a suspicious looking payload. IDA Pro further confirmed that this is the payload that will be extracted out.
4. How is the malicious payload protected?
By analyzing the find resource function @0x0040132C we will come across the following codes that suggests to us that the payload is XOR by “A”.
5. How are strings protected?
The strings are in plain… correct me if i am wrong