Malware Analysis Lab 6: Basic Dynamic Analysis x86 Disassembler1
How you will be graded
Create Lab Report with the screenshots and analysis for each of the exercises below. For each exercise you must answer the following questions:
1. For this analysis, what forensic Malware Analysis Type, forensic technique and tool did you use?
2. Why do you perform this analysis?
3. What was your findings and your analysis of analysis?
Name the lab report file ‘Lastname_MAL6 Lab Report’ and submit it in Blackboard assignment Malware Analysis Lab 6
• Malware Analysis Technique Category: Basic Dynamic Analysis
• Forensic Tool: IDA Pro Free v5.0
• Forensic Tool Vendor Site:
a. Vendor Site: https://www.hex-rays.com/
b. v5 Download: https://samsclass.info/126/proj/idafree50.exe (Download not required for this class)
• Forensic Tool Description: IDA Pro combines an interactive, programmable, multi-processor disassembler coupled to a local and remote debugger and augmented by a complete plugin programming environment.2
Lab Configuration Requirements
• VM: ‘Win2008-DC’ VM3
Note: The VM should be available in VMWare Workstation. If not, go to the file location below and follow the part of the instructions titled ‘Setup ‘Win2008-DC’ VM2. Open ‘Win2008-DC’ VM in VMWare Workstation’
File Location:ITN277LabFiles.isoLabSetupInstructionsITN277 Initial Lab Setup.pdf
• ISO: ITN27xLabFiles.iso4
• Forensic Tool Location: ‘Win2008-DC’ VM – C:ProgramDataMicrosoftWindowsStart MenuProgramsIDA Pro FreeIDA Pro Free
Note: Forensic Tool should be preloaded in the VM. If not, run the following setup file in the VM
ITN27xLabFiles.isoForensicToolsIDA Pro Free v5idafree50.exe
• Malware Lab Files: Practical Malware Analysis LabsBinaryCollectionChapter_5LLab05-01.dll
Note: Lab files should be located on the desktop of the VM, if not it is located in
To mount the ISO to the VM follow these instructions
a. In VMWare Workstation, right-click on VM and click on properties
b. Double click on CDDVD (IDE)
c. Select ‘Use ISO Image File’ and point it to the D:YourNameLabSetupFilesITN27xLabFiles.iso
1 Lab Source: https://samsclass.info/126/proj/p6-IDA.htm
2 Source: https://www.hex-rays.com/products/ida/ida-executive.pdf
3 VM Source: https://drive.google.com/file/d/0B9d0eQ6GRR2jTXpOZ2lZbDFvdUk/view
4 ISO can be downloaded from: Blackboard ITN277 CourseCourse Documents
d. Make sure the ‘Connected’ box is checked
Exercise 1. Finding the Address of DLLMain
• Launch IDA Pro. Click Start and type ‘IDA Pro’ in the search box open IDA Pro
• Click OK. Click New. Click the “PE Dynamic Library” icon and click OK. Navigate to Lab05-01.dll and open it.
• In IDA Pro, click Windows, “Functions window”.
• Click the “Function name” header to sort by name and scroll to the top.
• Your image should show the location of DLLMain, as shown below:
• Press the PrntScrn key to capture an image of the whole desktop.
• Open Paint and paste the image in with Ctrl+V.
Save a full-desktop image with the filename ” PMAL6_E1_YOUR NAME”.
Exercise 2. Find the import for gethostbyname
In IDA Pro, click Windows, Imports. Click the Name header to sort by name. Find “gethostbyname” — note that capital letters and lowercase letters sort into separate groups.
Widen the Address column to make the entire address visible.
Your image should show the location of gethostbyname, as shown below:
Save a full-desktop image with the filename ” PMAL6_E2_YOUR NAME”.
Exercise 3. Count Local Variables for the Subroutine at 0x10001656
• In IDA Pro, click Windows, “IDA View-A”. Press the SPACEBAR to get to text view.
• Press g to Go. Enter the address 0x10001656 and click OK.
• Scroll up to show the comments IDA added to the start of the function, listing its local variables, as shown below:
Save a full-desktop image with the filename ” PMAL6_E3_YOUR NAME”.
Exercise 4. Finding the Purpose of the Code that References cmd.exe /c
• In IDA Pro, click Windows, Strings. Make the window larger. Sort by String. Find the String “\cmd.exe /c” and double-click it. The function opens in text view, as shown below.
• In the line containing “\cmd.exe /c”, double-click the address to the right of “XREF”, as indicated by the red outline in the image below.
• Press the SPACEBAR to get to graph view, as shown below. “\cmd.exe /c” is used in the little routine on the left.
• Drag the graph view down to see the subroutines before it. About three boxes up you should find text beginning with “Hi, Master”, as shown below.
• Double-click aHiMasterDDDD to find the complete message. The purpose of the malware is clearly stated.
• Your image should show what the code is doing, as shown below. The purpose is behind the red rectangle in the image below.
Save a full-desktop image with the filename ” PMAL6_E4_YOUR NAME”.