The goal of the labs for this chapter is to help you to understand the overall functionality of a program by analyzing code constructs. Each lab will guide you through discovering and analyzing a new code construct. Each lab builds on the previous one, thus creating a single, complicated piece of malware with four constructs. Once you’ve finished working through the labs, you should be able to more easily recognize these individual constructs when you encounter them in malware.
In this lab, you will analyze the malware found in the file Lab06-01.exe.
Analyze the malware found in the file Lab06-02.exe.
In this lab, we’ll analyze the malware found in the file Lab06-03.exe.
Q: | 1. Compare the calls in |
Q: | 2. What parameters does this new function take? |
Q: | 3. What major code construct does this function contain? |
Q: | 4. What can this function do? |
Q: | 5. Are there any host-based indicators for this malware? |
Q: | 6. What is the purpose of this malware? |
In this lab, we’ll analyze the malware found in the file Lab06-04.exe.
Q: | 1. What is the difference between the calls made from the |
Q: | 2. What new code construct has been added to |
Q: | 3. What is the difference between this lab’s parse HTML function and those of the previous labs? |
Q: | 4. How long will this program run? (Assume that it is connected to the Internet.) |
Q: | 5. Are there any new network-based indicators for this malware? |
Q: | 6. What is the purpose of this malware? |