Lab13-02.exe creates large, seemingly random files in its current directory with names that start with temp and end with eight hexadecimal digits that vary for each file.
The XOR search technique identifies potential encoding-related functions at
sub_401739. The other
three techniques suggested find nothing.
The encoding functions might be found just before the call to
The encoding function is
The source content is a screen capture.
The algorithm is nonstandard and not easily determined, so the easiest way to decode traffic is via instrumentation.
See the detailed analysis for how to recover the original source of an encoded file.
We launch the malware and see that ...