Analysis of Lab 01-04 from PMA
in-class exercise from 9/18/2012

Name of file:
Lab01-04.exe

Where is it from?
PMA 7zip file from course web site

Size of file:
36K

MD5:
625ac05fd47adc3c63700c3b30de79ab

SHA256:
0fa1498340fca6c562cfa389ad3e93395f44c72fd128d7ba08579a69aaf3b126

Results from virustotal.com
35/42 Yipes!

Any indication of packing or obfuscation?
e.g. output from Strings:
(didn't run Strings)

Visual inspection using a hex editor (like emacs!)
suspicious system calls, not obviously packed
call to AdjustTokenPrivilege, for example, suggest PrivEsc
does file I/O suspiciously
call to printf suggests a C program

if packed, how big is it after unpacking? N/A
(if no big change, what might that mean?)

when was program compiled?
what tool tells us this, again?

Do any imports hint of functionality?
which imports say what?

What host or network indicators could be used to identify this malware
on infected machines?

(Indeed, are there any host or network indicators?)
http://www.practicalmalwareanalysis.com/update.exe
also, the Strings mentions windows updater

Does the program use any resources?  (Yes)

Results from Resource Hacker?
the resource contains a hidden binary
with some system calls that raise suspicions, but not too much

PEid has a disassembler feature, which lets us inspect the executable
code in the exe proper, as well as the code hidden in the resource.