Q:

1. How can you get this malware to install itself?

Q:

2. What are the command-line options for this program? What is the password requirement?

Q:

3. How can you use OllyDbg to permanently patch this malware, so that it doesn’t require the special command-line password?

Q:

4. What are the host-based indicators of this malware?

Q:

5. What are the different actions this malware can be instructed to take via the network?

Q:

6. Are there any useful network-based signatures for this malware?

Q:

1. What strings do you see statically in the binary?

Q:

2. What happens when you run this binary?

Q:

3. How can you get this sample to run its malicious payload?

Q:

4. What is happening at 0x00401133?

Q:

5. What arguments are being passed to subroutine 0x00401089?

Q:

6. What domain name does this malware use?

Q:

7. What encoding routine is being used to obfuscate the domain name?

Q:

8. What is the significance of the CreateProcessA call at 0x0040106E?

Q:

1. What DLLs are imported by Lab09-03.exe?

Q:

2. What is the base address requested by DLL1.dll, DLL2.dll, and DLL3.dll?

Q:

3. When you use OllyDbg to debug Lab09-03.exe, what is the assigned based address for: DLL1.dll, DLL2.dll, and DLL3.dll?

Q:

4. When Lab09-03.exe calls an import function from DLL1.dll, what does this import function do?

Q:

5. When Lab09-03.exe calls WriteFile, what is the filename it writes to?

Q:

6. When Lab09-03.exe creates a job using NetScheduleJobAdd, where does it get the data for the second parameter?

Q:

7. While running or debugging the program, you will see that it prints out three pieces of mystery data. What are the following: DLL 1 mystery data 1, DLL 2 mystery data 2, and DLL 3 mystery data 3?

Q:

8. How can you load DLL2.dll into IDA Pro so that it matches the load address used by OllyDbg?