The purpose of this program is to covertly launch another program.
The program uses process replacement to hide execution.
The malicious payload is stored in the program’s resource section. The resource has type
UNICODE and the name
The malicious payload stored in the program’s resource section is XOR-encoded. This
decode routine can be found at
sub_40132C. The XOR byte is found
The strings are XOR-encoded using the function at
Since we’ve already analyzed this binary in the labs for Chapter 3, let’s begin by opening the file with IDA Pro and looking at the function imports. Many functions in the list provide little information because they are commonly imported ...