Practical Malware Analysis — Chapter 1 — Lab 1–3 — Solution

By now we have successfully done analyzing two executable’s by using basic static analysis techniques. Now we have to analyze the third executable. Technique is the same. All we are doing is to polish our learning skills that we have learnt so far.

Let’s analyze it via VirusTotal.

The file is malicious. Let’s create the fingerprint on our system.

The hashes are same. Now, we need to check whether this file is packed or not!

The executable is packed using FSG 1.0, lets try to run strings on the executable and check if we are able to find any clue about this executable.

We can see the function ‘LoadLibraryA, GetProcAddress” this proves that this file is packed. We also found the KERNEL32.DLL also MSVCRT.DLL as well!

We don’t have any clue about the functions being imported. Let’s run the dependency walker to have a clue.

So we only have this information. Obviously this is not enough!

NOTE: Leaving this Lab here as we will have to manually unpack this executable. We will work on this when we will learn about unpacking the executable at the end of the book.