Lab 3-1 Solutions

Short Answers

The malware appears to be packed. The only import is ExitProcess, although the strings appear to be mostly clear and not obfuscated.
The malware creates a mutex named WinVMX32, copies itself into C:\Windows\System32\vmx32to64.exe. and installs itself to run on system startup by creating the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VideoDriver set to the copy location.
The malware beacons a consistently sized 256-byte packet containing seemingly random data after resolving www.practicalmalwareanalysis.com.

Detailed Analysis

We begin with basic static analysis techniques, by looking at the malware’s PE file structure and strings. Figure C-1 shows that only kernel32.dll is imported.

Figure C-1. PEview ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Practical Malware Analysis by Michael Sikorski, Andrew Honig

Lab 3-1 Solutions

Short Answers

Detailed Analysis

Don’t leave empty-handed

It’s yours, free.

Check it out now on O’Reilly