- Lab19-01.bin SHA256: 12C25180A497E9F9544454332A29DF45D1F8506DEE485ED0026D9969AF4AFEDE
Analyze the file Lab19-01.bin using shellcode_launcher.exe.
To generate a exe from shellcode, I decided to use shellcode2exe tool as seen below.
1. How is the shellcode encoded?
The shellcode is alphabetically encoded. In figure 2, we can see the function responsible for decoding.
2. Which functions does the shellcode manually import?
We can use a tool called sctest to help us to emulate the shellcode.
We can see that the shellcode uses LoadLibraryA, GetSystemDirectory, URLDownloadtoFile and WinExec.
We can also use ollydbg to see it live.
3. What network host does the shellcode communicate with?
As seen in Figure 4, the shellcode communcates with http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe.
4. What filesystem residue does the shellcode leave?
5. What does the shellcode do?
- Download http://www.practicalmalwareanalysis.com/shellcode/annoy_user.exe.
- Save the payload as c:\windows\system32\1.exe
- Execute the payload