Sheema

BSE153006

Assignment 1

Malware analaysis

Task 1

…………> Through Strings

…………….> Lab 1(not packed)

CloseHandle(this closes open objects e.g communication devices, event, file, process, socket, thread,
token etc) so the object is removed from the system after this

unMapViewOfFile(it unmaps the address space of a process and makes the space available for other
allocations)

isBadReaderPtr(this is used with pointers, so it verifies that the calling process has only th “read acess”
to a specified range of memory)

MapViewOfFile(Maps a file into memory and makes the contents of the file accessible via
memory addresses)

createFileMappingA(Creates or opens a named or unnamed file mapping object for a specified

file.)

CreateFileA(Creates or opens a file or I/O device. The most commonly used I/O devices are as
follows: file, file stream, directory, physical disk, volume, console buffer, tape drive,
communications resource, mailslot, and pipe. The function returns a handle that can be used to
access the file or device for various types of I/O depending on the file or device and the flags
and attributes specified.)

FindClose(This function closes the file search handle.)

FindNextFileA( The FindNextFile function continues a file search from a previous call to
the “findFirstFile” function.)
FindFirstFileA(The FindFirstFile function searches a directory for a file whose name
matches the specified filename. The FindFirstFile function opens a search handle and
returns information about the first file whose name matches the specified pattern.)
also (Once the search handle is established, you can use the FindNextFilefunction to
search for other files that match the same pattern. When the search handle is no
longer needed, close it by using the FindClose function.)
CopyFileA(Copies an existing file to a new file.)
…………..> lab01.dll

CloseHandle(this closes open objects e.g communication devices, event, file, process, socket, thread,
token etc) so the object is removed from the system after this

Sleep(places a thread or a process into an inactive state for a period of time) (until time-out
period)

CreateProcessA(Creates a new process and its primary thread.)

CreateMutexA(Creates or opens a named or unnamed mutex object) (A mutex is a win32

kernel object that enables any thread in the system to acquire mutually
exclusive ownership of a resource. A mutex can therefore be used to
synchronize access to a resource between threads belonging to different
processes)

OpenMutexA(Opens an existing named mutex object.)

Free(releases a chunk of dynamically allocated memory from the heap region of the process
address space)
Exec(replace the pervious executable with itself and runs in context of the previous already
existing file)

Sleep(places a thread or a process into an inactive state for a period of time) (until time-out
period)

Task 2

First of all this is unpacked malware so first I will compress them all and
compare them.

At -1 level

String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
At -2

String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
At -3
String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
At -4

String( LoadLibraryA,GetProcAddress,VirtualProtect,VirtualAlloc,VirtualFree,ExitProcess,exit)
And so the entryPoint and Offset are also same at each level, means both are different but are
same on each level.
Unpacking level by level
Unpacking -1 level ( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)

Unpacking -2 level ( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)

Unpacking -3 level ( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)

Unpacking -4 level( now in pied ,, entryPoint and Offset are same which mean that it is
unpacked now)