C:\Users\Administrator\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_1L
There are only a few strings, and they call only a few ordinary Windows API commands, as shown below.
These strings aren't from the malware--they are from the UPX packer, as we will show below.
These are section names produced by the UPX packer.
You see a UPX help message, as shown below:
Execute these commands to move to the directory containing the malware samples, and list the files there:
You see several malware samples, including Lab01-02.exe, as shown below:
cd "\Users\Administrator\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_1L"
Execute these commands to unpack the file, and list the files again:
The unpacked file is much larger than the original file, as shown below:
UPX -d -o Lab01-02-unpacked.exe Lab01-02.exe
Analyze the unpacked file with PEiD. It now is regognized as a "Microsoft Visual C++ 6.0" file, as shown below.
The imports from KERNEL32.DLL, ADVAPI32.DLL, and MSVCRT.DLL are uninformative generic functions used by almost every program.
However, the WININET.DLL imports are InternetOpenUrlA and InternetOpenA, as shown below. This indicates that the malware connects to a URL.
You should see the API names InternetOpenURLA and InternetOpenA, and the Command-and-Control URL http://www.malwareanalysisbook.com, as shown below.
These suggest that infected machines will connect to http://www.malwareanalysisbook.com. The name of the running service, MalService, is also visible.
The last string is covered by a green box in the image above. That's the flag.
Ignore everything except the primary packer name, which consists of three capital letters. That's the flag.