- IDA Pro
- Lab15-03.exe SHA256:b2a6e13fab9d8fa32acbfaa346f2987c35f7d7c0ba7547aa8524b20cde63773b
- Detection Rate: 37/54
- Analyzed on 2016-03-14
Compilation Date: 2011-02-05 05:40:38
- View report here
Analyze the malware found in the file Lab15-03.exe. At first glance, this binary
appears to be a legitimate tool, but it actually contains more functionality
1. How is the malicious code initially called?
The return address was overwritten by the malicious code address at the start of the program. the stack which contains the ret address was written with 0x40148c.
2. What does the malicious code do?
@0x40148c we can see that the malware is adding a SEH handler (0x4014C0) via fs:0. It then performs a divide by 0 error to trigger the SEH.
The handler download a file from a url and executes it via WinExec.
3. What URL does the malware use?
I decided to write a script to decode the url. the decoding function is simple… just negate the inputs.
The url is: http://www.practicalmalwareanalaysis.com/tt.html
4. What filename does the malware use?