The purpose of the labs is to give you an opportunity to practice the skills taught in the chapter. In order to simulate realistic malware analysis you will be given little or no information about the program you are analyzing. Like all of the labs throughout this book, the basic static analysis lab files have been given generic names to simulate unknown malware, which typically use meaningless or misleading names.
Each of the labs consists of a malicious file, a few questions, short answers to the questions, and a detailed analysis of the malware. The solutions to the labs are included in Appendix C.
The labs include two sections of answers. The first section consists of short answers, which should be used if you did the lab yourself and just want to check your work. The second section includes detailed explanations for you to follow along with our solution and learn how we found the answers to the questions posed in each lab.
This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below.
Q: | 1. Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures? |
Q: | 2. When were these files compiled? |
Q: | 3. Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators? |
Q: | 4. Do any imports hint at what this malware does? If so, which imports are they? |
Q: | 5. Are there any other files or host-based indicators that you could look for on infected systems? |
Q: | 6. What network-based indicators could be used to find this malware on infected machines? |
Q: | 7. What would you guess is the purpose of these files? |
Analyze the file Lab01-02.exe.
Q: | 1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? |
Q: | 2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. |
Q: | 3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you? |
Q: | 4. What host- or network-based indicators could be used to identify this malware on infected machines? |
Analyze the file Lab01-03.exe.
Q: | 1. Upload the Lab01-03.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? |
Q: | 2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. |
Q: | 3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you? |
Q: | 4. What host- or network-based indicators could be used to identify this malware on infected machines? |
Analyze the file Lab01-04.exe.
Q: | 1. Upload the Lab01-04.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? |
Q: | 2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. |
Q: | 3. When was this program compiled? |
Q: | 4. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you? |
Q: | 5. What host- or network-based indicators could be used to identify this malware on infected machines? |
Q: | 6. This file has one resource in the resource section. Use Resource Hacker to examine that resource, and then use it to extract the resource. What can you learn from the resource? |