Practical Malware Analysis: Static Analysis

Question

I am stuck with question 12th and 20th of this lab .Could you please help.

12.What's the new name of the variable that references InternetOpenURL after changing the function signature? (Hint: The original name was iVar2).

20. What native Microsoft service is this malware trying to masquerade as with a legitimate seeming name and a reference to a file path that can be used for persistence? (Hint: Review the briefing panel for information on how to override a function signature.)

jamesstammers · Answer

Hello,So for Q.12, before you change the function signatures, the decompiler will read:iVar2 = InternetOpenURL..... etc.After you've followed the instructions in the briefing panel, it will change to read:&lt;something&gt; = InternetOpenUrl......For Q.20, once you have found the correct function from the previous questions, follow the last bit of information in the briefing panel and copy it on a different function signature within that same function (albeit very similar to the example in the brief!). Look for any legitimate sounding executable names.Hope that helps!

Forum Discussion

Practical Malware Analysis: Static Analysis

1 Reply

Featured Places

Help & Support Forum

Related Content

Practical Malware Analysis: Static Analysis question 18

Practical Malware Analysis: Static Analysis question 19

Practical Malware Analysis: .NET Encryption and Encoding

Malicious Document Analysis: Dropper Analysis

Help with "Log Analysis: Web Log Analysis"

Recent Discussions

Radare2 Reverse Engineering: Ep.2 – Windows Binary Part 2

ICS Malware: Triton - unpack trilog.exe

Privilege Escalation: Windows – Automated Enumeration

Web App Hacking (Lab series): CVE-2022-42889 (Text4Shell) – Offensive

FIN7 Threat Hunting with Splunk: Ep.3 – Execution Logs