- IDA Pro
- Lab13-01.exe SHA256: 71a295247ba7419f9f9dea8098e6867182bb80f53c98eb0f59192a6557a51249
- Detection Rate: 11/55
- Analyzed on 2016-03-13
Compilation Date: 2011-11-08 23:03:23
- View report here
Analyze the malware found in the file Lab13-01.exe.
1. Compare the strings in the malware (from the output of the strings command)
with the information available via dynamic analysis. Based on this
comparison, which elements might be encoded?
In IDA Pro, we can see the following strings which are of not much meaning. However on execution, if we were to strings the memory using process explorer and sniff the network traffic, we can observe some new strings such as http://www.practicalmalwareanalysis.com.
2. Use IDA Pro to look for potential encoding by searching for the string
xor. What type of encoding do you find?
The subroutine @0x00401300 loads a resource in the binary and xor the value with “;“.
3. What is the key used for encoding and what content does it encode?
The key used is “;“. The decoded content is http://www.practicalmalwareanalysis.com.
4. Use the static tools FindCrypt2, Krypto ANALyzer (KANAL), and the
IDA Entropy Plugin to identify any other encoding mechanisms. What
do you find?
KANAL plugin located 4 addresses that uses “ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/”
5. What type of encoding is used for a portion of the network traffic sent by
base64 encoding is used to encode the computer name.
6. Where is the Base64 function in the disassembly?
At address 0x004010B1.
7. What is the maximum length of the Base64-encoded data that is sent?
What is encoded?
The maximum length is 12 characters. The maximum base64 length is 16 bytes.
8. In this malware, would you ever see the padding characters (= or ==) in
the Base64-encoded data?
According to wiki. If the plain text is not divisible by 3, padding will present in the encoded string.
9. What does this malware do?
It keeps sending the computer name (max 12 bytes) to http://www.practicalmalwareanalysis.com every 30 seconds until 0x6F is received as the first character in the response.