Skip to content

Latest commit

 

History

History
42 lines (22 loc) · 1.15 KB

lab-06-2.md

File metadata and controls

42 lines (22 loc) · 1.15 KB

This post is part of the series of Practical Malware Analysis Exercises.

1) What operation does the first subroutine called by main perform.

Boolean check for an internet connection. Returns true if so, returns false if not.

2) What is the subroutine located at 40117F?

printf()

3) What does the second subroutine called by main do?

Parses a page for a command hidden in an HTML comment.

  1. Opens URL http://www.practicalmalwareanalysis.com/cc.htm
  2. Reads 512 bytes.
  3. Checks for<!--, reverses bytes (network to host order).
  4. Save next byte in AL.

4) What type of code construct is used in this subroutine?

A series of if/then conditional checks.

5) Network indicators?

User agent:Internet Explorer 7.5/pma URL: http://www.practicalmalwareanalysis.com/cc.htm

6) What is the purpose on the malware?

Fetch a remote command. Likely a bot for a botnet, or some sort of backdoor.

  1. Sends a GET request to a CC page, with a special user agent to identify itself.
  2. Gets the embedded command by parsing the first 512 bytes, looking for an HTML comment.
  3. Sleeps for one minute.