The URL initially requested is http://www.practicalmalwareanalysis.com/bamboo.html.
The User-Agent string is generated by adding 1 to each letter and number in the hostname (Z and 9 are rotated to A and 0).
The program looks for the string
Bamboo:: in the page it
The program searches beyond the
Bamboo:: string to
find an additional
::, which it converts to a NULL terminator.
The string in between
Bamboo and the terminator is downloaded to
a file named Account Summary.xls.exe and executed.
Open the binary with IDA Pro and scroll to the
main function at offset 0x00401000. We will begin with disarming this function by reading it top to bottom, fixing each countermeasure until we reach the logical ...