Basic Dynamic Analysis
Lab 3-1
This lab uses the files Lab03-01.exe.
What are this malware’s import and strings ?
We use PE Explorer to answer this question with the imports button at the top of the tool.
There is only one DLL used and one function imported. We know that the malware isn’t pack with UPX, NsPack or Upack because when you open the executable with PE Explorer, by default it try to unpack it with those 3 algorithms. None of them works
Let’s take a look at strings. We can deduce that the malware isn’t packed because there are a lot of strings. We are going to analyse what we found in the next question.
Figure 1
Figure 2
What are the malware’s host-based indicators ?
In the figure 1, we can see that the executable contain another binary that should be drop by the first executable.
In the figure 2, we can assume that the malware create a register key in SOFTWARE\Microsoft\Windows\CurrentVersion\Run. This key allow it to start at the same time as the computer boot. That is used for persistence on a system.
After that we can’t say more with the previous pictures, it would be guessing. That’s why we’ll try to run the malware, and check with procmon what it does.
We run the malware, but nothing happend, we can check it with the process tree of PE Explorer
After some research I found that the malware only run on Windows XP. Sadly, I only have a Windows 10 VM. I’ll make a Windows XP one and come back to this lab later..