- IDA Pro
- Lab12-03.exe SHA256: 9b683d2fda7ca7adcc043e4412271009a0e115ca55f9a718c385a3f46b57ae6b
- Detection Rate: 15/55
- Analyzed on 2016-03-13
Compilation Date: 2011-03-16 05:57:55
- View report here
Analyze the malware extracted during the analysis of Lab 12-2, or use the file
1. What is the purpose of this malicious payload?
The use of SetWindowsHookExA with WH_KEYBOARD_LL as the id which suggests that this is a keylogger.
2. How does the malicious payload inject itself?
It uses Hook injection. Keystrokes can be captured by registering
high- or low-level hooks using the WH_KEYBOARD or WH_KEYBOARD_LL hook
procedure types, respectively.
For WH_KEYBOARD_LL procedures, the events are sent directly to the process
that installed the hook, so the hook will be running in the context of the
process that created it. The malware can intercept keystrokes
and log them to a file as seen in the figure below.
3. What filesystem residue does this program create?
As answered in question 2. The malware will leave behind a log file containing the keylogs; practicalmalwareanalsysis.log.