DllMain is found at 0x1000D02E in the
The import for
gethostbyname is found at 0x100163CC in the
gethostbyname import is called nine times by five
different functions throughout the malware.
A DNS request for
pics.practicalmalwareanalysis.com will be
made by the malware if the call to
gethostbyname at 0x10001757
IDA Pro has recognized 23 local variables for the function at 0x10001656.
IDA Pro has recognized one parameter for the function at 0x10001656.
\cmd.exe /c is located at 0x10095B34.
That area of code appears to be creating a remote shell session for the attacker.
The OS version is stored in the global variable
The registry values located at