Lab 6-2 | Practical Malware Analysis

1. What operation does the first subroutine called by main perform?

It checks once again if there’s internet connection and chooses one or other subroutine depending on the results.

2. What is the subroutine located at 0x40117F?

Based on the condition that it appears right after the strings which will be printed, I’ll guess it’s, once again, the print function.

3. What does the second subroutine called by main do?

There’s no direct second subroutine in the main function, so I’ll assume it’s referring to the subroutine called if the results were true or 1.

In this case we can see it’s grabbing the Internet Explorer version, executing the InternetOpenA function on it, passing a URL to it and the calling InternetOpenUrlA to go there.

Further into the explanation of the author, I understood that he was referring to the entire construct and not just the first function.

In case the first funcion is true, it will jump into a new function, which in turn will pass the number of bytes to read and push them into the stack. Calling then the InternetReadFile will then push the contents of these bytes into the stack and jump into an if cascade if it succeeds.

So this if cascade it’s probably just trying to get its commands.

4. What type of code construct is used in this subroutine?

Nested if loop.

5. Are there any network-based indicators for this program?

Yes indeed: http://www.practicalmalwareanalysis.com/cc.htm

And also probably: Internet Explorer 7.5/pma, although I don’t really like this one as much as it’s not proprietary like the former.

6. What is the purpose of this malware?

It connects to the C&C domain and I’m not sure what it’s supposed to do further from there, because I get a 301 response ( probs the page is down by now ), but the book says it receives commands from this domain and then goes to sleep, so probably that.