O'Reilly logo

Practical Malware Analysis by Andrew Honig, Michael Sikorski

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Lab 15-3 Solutions

Short Answers

  1. The malicious code is initially called by overwriting the return pointer from the main function.

  2. The malicious code downloads a file from a URL and launches it with WinExec.

  3. The URL used by the program is http://www.practicalmalwareanalysis.com/tt.html.

  4. The filename used by the program is spoolsrv.exe.

Detailed Analysis

Quickly examining this binary, it initially seems to be a process-listing tool. You might have also noticed a few suspicious imports, such as URLDownloadToFile and WinExec. If you scrolled near the bottom of the code in IDA Pro, just before the C runtime library code, you may have even noticed where these suspicious functions are called. This code does not seem to be a part of the program at all. There ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required