2. Unpacking

• A Windows computer (real or virtual) with an Internet connection
• Recommended: the textbook: "Practical Malware Analysis"

Purpose

This project follows Lab 1-2 in the textbook. There are more detailed solutions in the back of the book.

VirusTotal

Examining the Strings in Lab01-02.exe with BinText

There are only a few strings, and they call only a few ordinary Windows API commands, as shown below.

These strings aren't from the malware--they are from the UPX packer, as we will show below.

Examining the File with PEiD

Examining the File with PEview

These are section names produced by the UPX packer.

Unpacking the File with UPX

UPX

Execute these commands to move to the directory containing the malware samples, and list the files there:

cd "\Users\Administrator\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_1L"

DIR

Execute these commands to unpack the file, and list the files again:

UPX -d -o Lab01-02-unpacked.exe Lab01-02.exe

DIR

Analyze the unpacked file with PEiD. It now is regognized as a "Microsoft Visual C++ 6.0" file, as shown below.

Turn in the image showing your analysis of Lab01-02-unpacked.exe as shown below.

We will grade it based on the "First Bytes".

Save this image with the filename "Proj 2b from YOUR NAME".

Imports

The imports from KERNEL32.DLL, ADVAPI32.DLL, and MSVCRT.DLL are uninformative generic functions used by almost every program.

However, the WININET.DLL imports are InternetOpenUrlA and InternetOpenA, as shown below. This indicates that the malware connects to a URL.

Strings

You should see MalService and http://www.malwareanalysisbook.com as shown below.

These suggest that infected machines will connect to http://www.malwareanalysisbook.com and will show a running service named MalService.