Project Part 3: Analyzing Malicious Windows Programs
What you need:
A Windows machine, real or virtual with IDA Pro installed.
Refer to Lab 7-1 instructions & solutions in “Practical Malware Analysis” textbook chapter 7.
Purpose
You will practice the techniques in chapter 7.
You should already have the lab files, but if you don’t, do this:
Downloading the Lab Files
In a Web browser, go here:
http://practicalmalwareanalysis.com/labs/
Download and unzip the lab files.
Downloading and Installing IDA Pro
In your Windows machine, open a Web browser and go to
https://www.hex-rays.com/products/ida/support/download_freeware.shtml
Download “IDA Freeware” and install it.
Analyzing the Malware
Follow the instructions for Lab 7-1 in the textbook. There are more detailed solutions in the back of the
book.
Open and analyze the malware found in the file Lab07-01.exe using IDA Pro.
1. Answer all the questions (Q1 to Q6) found in Lab 7-1 in your own words.
2. This malware uses a function named StartAddress to perform a DDoS attack.
When answering question 4 in Lab 7-1, you find the user agent it uses to perform the attack, and the URL
it will attack.
Save a screen capture of the IDA Pro screen showing those two values, as shown below (with the
important items grayed out).
3. You will see these features:
A persistence mechanism
A mutex
A host-based signature
A network-based signature
Explain the above terms briefly in the context of this lab assignment.
Deliverables:
Please complete all steps mentioned in this document, and submit the lab report on Canvas.
Make sure to capture screenshots for all steps and paste them in your lab report (word document).
