Analyze the malware found in the file Lab12-01.exe and
Lab12-01.dll. Make sure that these files are in the same directory when
performing the analysis.
Questions
Q:
1. What happens when you run the malware executable?
Q:
2. What process is being injected?
Q:
3. How can you make the malware stop the pop-ups?
Q:
4. How does this malware operate?
Lab 12-2
Analyze the malware found in the file Lab12-02.exe.
Questions
Q:
1. What is the purpose of this program?
Q:
2. How does the launcher program hide execution?
Q:
3. Where is the malicious payload stored?
Q:
4. How is the malicious payload protected?
Q:
5. How are strings protected?
Lab 12-3
Analyze the malware extracted during the analysis of Lab 12-2 Solutions, or
use the file Lab12-03.exe.
Questions
Q:
1. What is the purpose of this malicious payload?
Q:
2. How does the malicious payload inject itself?
Q:
3. What filesystem residue does this program create?
Lab 12-4
Analyze the malware found in the file Lab12-04.exe.
Questions
Q:
1. What does the code at 0x401000 accomplish?
Q:
2. Which process has code injected?
Q:
3. What DLL is loaded using LoadLibraryA?
Q:
4. What is the fourth argument passed to the CreateRemoteThread call?
Q:
5. What malware is dropped by the main executable?
Q:
6. What is the purpose of this and the dropped malware?