27 Aug 1-However opening the file is Cerbero Profiler highlights th
1-However opening the file is Cerbero Profiler highlights that the file contains a binary resource which has a MZ header (executable). Let’s extract the resource and re-analyze it with virus total and PEID.2-As of 25th Jan 2016 there were 45/53 anti virus detection ratio for resource.exe.3-PEID did not suggest that the extracted binary is packed. IDA Pro’s imports table looks legitimate as well.To answer when is the binary compiled we can use Cerbero Profiler again to check.4-From the above we can see that Lab01-04.exe compile date/time is fake. But the resource binary’s datetime stamp might be the real deal.5-The ADVAPI32 Library allows us to gain higher privileges so as to facilitate in some of the functions call later. Kernel32 Library in this case allows us to loadlibrary, execute application, write file to disk and access resources.6-The above screenshot shows that the malware is attempting to increase its privileges to SeDebugPrivilige. Once adjusted, it begin calling sfc_os.dll’s 2nd ordinal function which is the CloseFileMapEnumeration function.7-We can find out more details in what this function can do here… in a nut shell, it is trying to disable the write protection that winlogon is providing. Once the protection is disabled, the malware then move the file “windows directorysystem32wupdmgr.exe” to “tempwinup.exe”. It then read its own resource @ #101 and write it out as a file at “windows directorysystem32wupdmgr.exe”. The malware then executes this freshly written binary using WinExec.8-There are only 4 imports of interest here.URLDownloadToFileA; downloads a file from a given url to the victim’s machineGetWindowsDirectoryA; get the windows directory of the victim’s machineGetTempPathA; get the path of the directory designated for temporary filesWinExec; run command/applicationFrom the above import functions, we can make an educated guess that the malware is attempting to download another binary from a URL into either the victim’s temp directory or windows directory and execute it.9-the disassembled code simply executes an exe located in “temppathwinup.exe” where temppath refers to the temporary folder specified in the environment variables. It then attempts to download another exe from http://www.practicalmalwareanalysis.com/updater.ex… and save it in “windows directorysystem32wupdmgrd.exe”. It then executes this exe via winExec.10-Solutions to question 4 and 5 would have answered this question. A lot of malwares uses these techniques to drop malicious executables on the victim’s machine. there are various form of payload hidden in the dropper. Some are in the form of images (hidden via stengo) while some are just purely address offsets. Encryption/Encoding such as Rc4/XOR/Base64 is commonly used in droppers as well. What is interesting in this exercise is probably the technique to disable windows file protection using user code.
Our website has a team of professional writers who can help you write any of your homework. They will write your papers from scratch. We also have a team of editors just to make sure all papers are of HIGH QUALITY & PLAGIARISM FREE. To make an Order you only need to click Ask A Question and we will direct you to our Order Page at WriteEdu. Then fill Our Order Form with all your assignment instructions. Select your deadline and pay for your paper. You will get it few hours before your set deadline.
Fill in all the assignment paper details that are required in the order form with the standard information being the page count, deadline, academic level and type of paper. It is advisable to have this information at hand so that you can quickly fill in the necessary information needed in the form for the essay writer to be immediately assigned to your writing project. Make payment for the custom essay order to enable us to assign a suitable writer to your order. Payments are made through Paypal on a secured billing page. Finally, sit back and relax.
Do you need help with this question?
Get assignment help from WriteEdu.com Paper Writing Website and forget about your problems.
WriteEdu provides custom & cheap essay writing 100% original, plagiarism free essays, assignments & dissertations.
With an exceptional team of professional academic experts in a wide range of subjects, we can guarantee you an unrivaled quality of custom-written papers.
Chat with us today! We are always waiting to answer all your questions.