O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 13-2 Solutions

Short Answers

  1. Lab13-02.exe creates large, seemingly random files in its current directory with names that start with temp and end with eight hexadecimal digits that vary for each file.

  2. The XOR search technique identifies potential encoding-related functions at sub_401570 and sub_401739. The other three techniques suggested find nothing.

  3. The encoding functions might be found just before the call to WriteFile.

  4. The encoding function is sub_40181F.

  5. The source content is a screen capture.

  6. The algorithm is nonstandard and not easily determined, so the easiest way to decode traffic is via instrumentation.

  7. See the detailed analysis for how to recover the original source of an encoded file.

Detailed Analysis

We launch the malware and see that ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required