Lab 20-2 Solutions

Short Answers

  1. The most interesting strings are ftp.practicalmalwareanalysis.com and Home ftp client, which indicate that this program may be FTP client software.

  2. The imports FindFirstFile and FindNextFile indicate that the program probably searches through the victim’s filesystem. The imports InternetOpen, InternetConnect, FtpSetCurrentDirectory, and FtpPutFile tell us that this malware may upload files from the victim machine to a remote FTP server.

  3. The object created at 0x004011D9 represents a .doc file. It has one virtual function at offset 0x00401440, which uploads the file to a remote FTP server.

  4. The virtual function call at 0x00401349 will call one of the virtual functions at 0x00401380, 0x00401440, or 0x00401370.

  5. This malware ...

Get Practical Malware Analysis now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial