Skip to content

Latest commit

 

History

History
57 lines (31 loc) · 1.47 KB

lab-07-1.md

File metadata and controls

57 lines (31 loc) · 1.47 KB

This post is part of the series of Practical Malware Analysis Exercises.

1) How does this program ensure persistence?

Service malservice set to auto start at boot.

2) Why does this program use a mutex?

So that it doesn't create and start the service twice.

3) Good host-based signature?

  1. Service: Malservice
  2. Mutex: HG345

4) Good network-based signature?

  1. URL: http://www.malwareanalysisbook.com

5) Purpose of the program?

Installs a DDoS service with 20 threads attacks http://www.malwareanalysisbook.com in the year 2100.

Connects to http://www.malwareanalysisbook.com in infinite loop. Leaves a mutex open to let other instances know it's running.

Program starts a service dispatcher, allowing malservice to execute in this process. Calls ServiceMain.

Installation:

  1. if( mutex HGL345 is unavailable): exit process
  2. Open mutex HGL345
  3. Open connection to service manager.
  4. Create auto start service malservice with path to current exe.

Initialization:

  1. Create waitable timer: goes off once, in year 2100.
  2. Wait for timer to complete: ms=INFINITE or year=2100.

Create 20 threads that:

  1. Open Internet connection with UserAgent=Internet Explorer 8.0
  2. Get non-cached handle to http://www.malwareanalysisbook.com

6) When will the program finish execution?

Never