Lab 1-2

Analyze the file Lab01-02.exe.

Questions

1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions?
   • NO
2. Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.
   • It is packed with UPX, but we were able to unpack it using CFF Explorer built-in function
3. Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you?
   • This program calls an URL by using InternetOpenUrlA. It checks for one-time instance (so the program should run just once). CreateServiceA probably is a persistance mechanis, OpenSCManagerA is used to set services in general.
4. What host- or network-based indicators could be used to identify this malware on infected machines?
   • in strings
     • Malservice
     • internet explorer 8.0
     • www.malware…com