Practical Malware Analysis: Static Analysis

Question

I am stuck with question 12th and 20th of this lab .Could you please help.

12.What's the new name of the variable that references InternetOpenURL after changing the function signature? (Hint: The original name was iVar2).

20. What native Microsoft service is this malware trying to masquerade as with a legitimate seeming name and a reference to a file path that can be used for persistence? (Hint: Review the briefing panel for information on how to override a function signature.)

jamesstammers · Answer

Hello,So for Q.12, before you change the function signatures, the decompiler will read:iVar2 = InternetOpenURL..... etc.After you've followed the instructions in the briefing panel, it will change to read:&lt;something&gt; = InternetOpenUrl......For Q.20, once you have found the correct function from the previous questions, follow the last bit of information in the briefing panel and copy it on a different function signature within that same function (albeit very similar to the example in the brief!). Look for any legitimate sounding executable names.Hope that helps!

Forum Discussion

Practical Malware Analysis: Static Analysis

Related Content

Practical Malware Analysis: .NET Encryption and Encoding

Malicious Document Analysis: Dropper Analysis

Malware Analysis: Shlayer

Malicious Document Analysis: Dropper Analysis

Foundational Static Analysis: Analyzing Structures

Recent Discussions

Zeek Ep 4 Scripting

Malware Analysis: Shlayer

Web Log Analysis: Ep.5 – Searching Web Server Logs using Linux CLI

Introduction to Detection Engineering: Ep.5 – Custom Alerting

Re: Cross-Site Scripting: Ep.6 – Further Exploitation