PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-02)

Tools Used

  1. IDA Pro

Sample:

  1. Lab15-02.exe SHA256:20653de88265b4ab7b657de38e6585956368df037b66836008f8426f3e28cae6

VirusTotal:

  • Detection Rate: 6/53
  • Analyzed on 2016-03-19
  • Compilation Date: 2011-11-16 22:11:46
  • View report here

Lab 15-2
Analyze the malware found in the file Lab15-02.exe. Correct all anti-disassembly
countermeasures before analyzing the binary in order to answer the questions.
Questions
1. What URL is initially requested by the program?

url
Figure 1. URL

http://www.practicalmalwareanalysis.com/bamboo.html

2. How is the User-Agent generated?

via modifying GetHostName returned string.

host
Figure 2. shift right

The above code will shift the string by 1 character. To prevent invalid ascii, Z is changed to A, z is changed to a and 9 is changed to 0.

3. What does the program look for in the page it initially requests?

Bamboo::

bamboo
Figure 3. strstr

4. What does the program do with the information it extracts from
the page?

It extracts out another url and download its content via InternetOpenUrlA and InternetReadFile saving it under Account Sumamry.xls.exe. It then executes it via ShellExecuteA.

download
Figure 4. InternetOpenUrlA followed by InternetReadFile followed by fopen,fwrite then ShellExecuteA
Advertisements
PRACTICAL MALWARE ANALYSIS: ANTI – DISASSEMBLY(LAB 15-02)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s