pma7-1 Analysis

Executive Summary


This malware is a standalone executable. It might be dropped via a drive by download, manually installed on the computer, or act as a payload for a worm.


This malware waits until january 1, 2100 and then attempts a DDOS attack on


The malware sets itself up as a service named MalService.


This malware can be detected using a mutext named HGL345 and the service Malservice. It can then be removed by uninstalling the service and rebooting the computer.

File Information

Field Data
Filename Lab07_01.exe
File Size 24576 bytes
MD5 c04fd8d9198095192e7d55345966da2e
SHA1 86ee262230cbf6f099b6086089da9eb9075b4521
SHA256 0c98769e42b364711c478226ef199bfbba90db80175eb1b8cd565aa694c09852
Architecture x86
Statically linked False
Stripped False


Address String XRefs
0x405050 InternetGetMalwareBook
0x405074 Internet Explorer 8.0 InternetGetMalwareBook


Address Import XRefs
0x4040c0 InternetOpenUrlA InternetGetMalwareBook
0x4040c4 InternetOpenA InternetGetMalwareBook

Important Functions

main: void main(void)

[00] -r-x section size 12288 named .text This is the main function. This calls the function that sets up persistence

SetupPersistence: undefined4 SetupPersistence12,2

This function sets up the service, sets a timer to wait until the specified time, then starts 20 threads that perform the DDOS on the specified URL

InternetGetMalwareBook: void InternetGetMalwareBook(void)

This function makes requests to in an infinite loop


Below are the answers to the PMA questions for this lab. This malware sets itself up as a service in the fcn.00401040 function. It does so with the following system calls.

0x00401052 call dword [sym.imp.KERNEL32.dll_OpenMutexA]
0x0040105e call dword [sym.imp.KERNEL32.dll_ExitProcess]
0x0040106e call dword [sym.imp.KERNEL32.dll_CreateMutexA]
0x0040107a call dword [sym.imp.ADVAPI32.dll_OpenSCManagerA]
0x00401082 call dword [sym.imp.KERNEL32.dll_GetCurrentProcess]
0x00401094 call dword [sym.imp.KERNEL32.dll_GetModuleFileNameA]
0x004010bc call dword [sym.imp.ADVAPI32.dll_CreateServiceA]
0x004010e5 call dword [sym.imp.KERNEL32.dll_SystemTimeToFileTime]
0x004010f1 call dword [sym.imp.KERNEL32.dll_CreateWaitableTimerA]
0x00401107 call dword [sym.imp.KERNEL32.dll_SetWaitableTimer]
0x00401110 call dword [sym.imp.KERNEL32.dll_WaitForSingleObject]

This program uses a mutex to ensure that only one instance of the program is running at a time. Some good signatures include the mutext named HGL345 and the service MalService. Some good network signatures include the user agent InternetExplorer 8.0 and the communication with This program waits until January 1, 2100 and then attempts a DDOS attack on This program will never finish. It creates 20 threads, each of which run in an infinite loop.