Chapter 1
- Copy the notes (and screenshots) from here (link)
Chapter 3
Lab 3-1
Analyze the malware found in the file Lab03-03.exe using basic dynamic analysis tools.
Questions
1. What are these malware’s imports and strings?
Imports:
There is a surprisingly little amount of imported functions: only ExitProcess as shown by PEview. This could indicate that the malware is packed.
Strings:
Interesting lines could be:
CONNECT %s: %i HTTP/1.0 (indicating connectivity)
www.practicalmalwareanalysis.com (indicating connectivity)
SOFTWARE\Classes\http\shell\open\commandv
Software\Microsoft\Active Setup\Installed Components\
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
AppData
Filepaths that could have something to do with files installed on the infected system, which could then indicate persistence.
Imports