Lab 7-2

Analyze the malware found in the file Lab07-02.exe. Questions

1. How does this program achieve persistence?
   • no persistence
2. What is the purpose of this program?
   • visit a webpage using COM objects
3. When will this program finish executing?
   • after opening the webpage

But first a static analysis with PEStudio!

1. File is not packed, PEiD won’t show anything
   • sections are ok
2. Libraries:
   • it has ole32, so probably it loads COM / DLL files
3. Imports:
   • exit
   • OLEFunctions related. Probably a loader for COM files
4. Strings:
   • http://www.malwareanalysisbook.com/ad.html

Perhaps the malware could:

1. Get that ad.html page using some COM functionalities
2. Close itself

By using IDA:

• yes, we see OLEInitialize and CoCreateInstance
  • COM object is recalled into “call” dword
  • 0x2C is the word “Navigate”, therefore it calls a webpage ????