RECENT ASSIGNMENT

Tweet Share WhatsApp Share
GET ANSWERS / LIVE CHAT


I need my assignment completely done for Malware Analysis course
Below is the description -
This homework is about the malware in Lab 3-3, i.e., Lab03-03.exe. Use IDA or Ghidra to answer the following questions.
1. What does the function sub_40149d do? How do you know? Use relevant instructions of this function to support your answer. In general, your answer should include the meaning of the input parameter(s) and the return value for this kind of question. For example, the following function sub_fn takes two integers (let's call them x and y) as input parameters and returns x - y as the result.
sub_fn proc near
push ebp
mov ebp, esp
push edx
mov edx, [ebp+8]
sub edx, [ebp+12]
mov eax, edx
pop edx
pop ebp
ret
sub_fn endp
2. More specifically, we can see that sub_40149d invokes _strlen at 004014b2. What is the input parameter of this invocation to _strlen and what is the purpose of this function call? More specifically, how is the return value used in sub_40149d?
3. What kind of code construct can you recognize in sub_401000? Attach a screenshot to support your answer.
4. What does the function sub_401000 do? We can see that it has three input parameters. What are their meanings? What happens to them in the function sub_401000? Attach relevant instructions of this function to support your answer. Hint: the instruction xor al, [ebp + arg_8] performs logical XOR operation.
5. What does the function sub_40132c do? What does its return value mean? How do you know? Attach the cross-reference graph and relevant instructions of this function to support your answer.
6. In function sub_40132c, there are conditional jumps at 0040140c and 00401419, respectively. What is the purpose of them? Hint: the byte sequence 4D 5A (or 'MZ') is the magic word for the DOS header in an executable file.
7. In function sub_4010ea, what is the name of the new process created at 0040115f?
8. In function sub_4010ea, which function is actually called by the instruction at 00401206: call [ebp + var_64]? Hint: [ebp + var_64] is a local variable. What kind of value has been written to this variable?
Please put all your answers in a single .pdf file. You are expected to include screenshots.



GET ANSWERS / LIVE CHAT