pma9-2 Analysis

Executive Summary

Installation

How malware gets installed goes here

Behavior

What the malware does goes here

Persistence

How the malware persists on the system goes here

Removal

How the malware can be uninstalled goes here


File Information

Field Data
Filename Lab09-02.exe
File Size 24576 bytes
MD5 251f4d0caf6eadae453488f9c9c0ea95
SHA1 ea8e109eb3fbdb76623cf9522267345b19721e42
SHA256 f153dfacec09dd69809c3bbf68270a38ee3701f44220c7bf181c14a68c138133
Architecture x86
Compiler
Statically linked False
Stripped False

Strings

Address String XRefs

Imports

Address Import XRefs
0x40409c WSAStartup main
0x4040a0 WSASocketA main
0x4040a4 gethostbyname main
0x4040a8 closesocket main
0x4040b0 htons main
0x4040b4 connect main

Important Functions

main: // WARNING: Removing unreachable block (ram,0x004013d4)

This is the main function

deobfuscate_strings: int32_t * __cdecl deobfuscate_strings(char arg_8h, char arg_ch)

This function takes two strings as inputs and returns a deobfuscated string using the eax register. The main use for this function is to use the key string to output the url practicalmalwareanalsis.com

CreateProcess: Signature not found

[00] -r-x section size 12288 named .text afn CREATE_REMOTE_SHELL This function calls create_process with the stdout, stderr, and stdin handles to tehe socket. Since cmd is the argument this creates a reverse shell by tying the command shell to the socket.


Analysis

PMA Questions:

  1. There are not any interesting strings in this binary.
  2. When you run this binary it simply terminates
  3. The program can be renamed ocl.exe before running it
  4. A string is being built on the stack which can later be deobfuscated
  5. The key string and an encoded string
  6. practicalmalwareanalysis.com
  7. The strings are xored
  8. This function creates a reverse shell