O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 9-2 Solutions

Short Answers

  1. The imports and the string cmd are the only interesting strings that appear statically in the binary.

  2. It terminates without doing much.

  3. Rename the file ocl.exe before you run it.

  4. A string is being built on the stack, which is used by attackers to obfuscate strings from simple strings utilities and basic static analysis techniques.

  5. The string 1qaz2wsx3edc and a pointer to a buffer of data are passed to subroutine 0x401089.

  6. The malware uses the domain practicalmalwareanalysis.com.

  7. The malware will XOR the encoded DNS name with the string 1qaz2wsx3edc to decode the domain name.

  8. The malware is setting the stdout, stderr, and stdin handles (used in the STARTUPINFO structure of CreateProcessA) to the socket. Since CreateProcessA ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required