Q:

1. What does the malware drop to disk?

Q:

2. How does the malware achieve persistence?

Q:

3. How does the malware steal user credentials?

Q:

4. What does the malware do with stolen credentials?

Q:

5. How can you use this malware to get user credentials from your test environment?

Q:

1. What are the exports for this DLL malware?

Q:

2. What happens after you attempt to install this malware using rundll32.exe?

Q:

3. Where must Lab11-02.ini reside in order for the malware to install properly?

Q:

4. How is this malware installed for persistence?

Q:

5. What user-space rootkit technique does this malware employ?

Q:

6. What does the hooking code do?

Q:

7. Which process(es) does this malware attack and why?

Q:

8. What is the significance of the .ini file?

Q:

9. How can you dynamically capture this malware’s activity with Wireshark?

Q:

1. What interesting analysis leads can you discover using basic static analysis?

Q:

2. What happens when you run this malware?

Q:

3. How does Lab11-03.exe persistently install Lab11-03.dll?

Q:

4. Which Windows system file does the malware infect?

Q:

5. What does Lab11-03.dll do?

Q:

6. Where does the malware store the data it collects?