Forum Discussion

kevinh's avatar
kevinh
Icon for Bronze II rankBronze II
9 days ago
Solved

Practical Malware Analysis: Static Analysis question 18

for finding the exact name of the executable file. 

After dynamically overriding the function as shown in the briefing

I cant seem to find any meaningful creation of the filename matching the patter provided in sprintf.

I am wondering if I should be overriding a different function? as I cant seem to find any meaningful leads when searching for references or traveling to the next data.

I also cant seem to find any leads from searching specifically for local_104 and unaff_EDI references as well.

 

defensive cyber
help & support
immersive labs
  • CyberSharpe's avatar
    CyberSharpe
    18 hours ago

    You're seeing Microsoft Security Centre in your string. You want a file name that is trying to mimic Security Centre... famously in WannaCry.

    Its also right in your C code you posted. Use the first 4 letters of that in strings and I bet you have the file name.

3 Replies

Sort By
  • netcat's avatar
    netcat
    Icon for Silver I rankSilver I
    6 days ago

    The question is "What is the exact name of the executable file this malware adopts", and I can't see how this could be related to sprintf. The solution is right under your nose.

    • kevinh's avatar
      kevinh
      Icon for Bronze II rankBronze II
      2 days ago

      for some reason typing in the variations of "s_%s_%s_security_00431330" does not seem to do anything? sprintf overriding is based on the brief to get the more accurate binary information. but the contents and variables directly from the sprintf seems to be wrong. where should I be going from the analyzing the function call, as the variables found are displayed as incorrect?

  • CyberSharpe's avatar
    CyberSharpe
    Icon for Bronze III rankBronze III
    18 hours ago

    You're seeing Microsoft Security Centre in your string. You want a file name that is trying to mimic Security Centre... famously in WannaCry.

    Its also right in your C code you posted. Use the first 4 letters of that in strings and I bet you have the file name.