Scribd
Upload
43 views

Lab 3

The document is a lab report analyzing malicious programs on the Windows platform. It examines three files: 1) Malicious JavaScript code that contains variables for communicating with a remote host and port, suggesting it could perform unwanted actions. 2) A packed malicious executable file that could not be unpacked but strings were extracted in a debugger. 3) A "patchme" file that was modified in a disassembler to display "good job" instead of its original behavior.

Uploaded by

Vadim Ciubotaru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
43 views

Lab 3

The document is a lab report analyzing malicious programs on the Windows platform. It examines three files: 1) Malicious JavaScript code that contains variables for communicating with a remote host and port, suggesting it could perform unwanted actions. 2) A packed malicious executable file that could not be unpacked but strings were extracted in a debugger. 3) A "patchme" file that was modified in a disassembler to display "good job" instead of its original behavior.

Uploaded by

Vadim Ciubotaru
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 5

MINISTERUL EDUCAȚIEI ȘI CERCETĂRII

Universitatea Tehnică a Moldovei


Facultatea Calculatoare Informatică și Microelectronică
Departamentul Ingineria Software și Automatică
Programul de studii: Securitate Informațională

RAPORT
La disciplina: AMID

Lucrare de laborator 3
"Analiza programelor malitioase pe platforma Windows"

Student: Ciubotaru Vadim, SI-211M .

Evaluator: Persianov Svetoslav

Chișinău, 2021
1. Malicious js
This file has javascript code, but nothing clear here.

Image 1 – Javascript code


To make this code clearer we can use “beautifier.io”

Image 2 – Online js beautifier


Now we can explore the code and find something helpful.

2
Image 3 – Some variables
host var _0x353d71 = '139.180.152.57';
port 0x1a0a; 6666 in decimal

The possibilities of malicious code based on source code:


 startupElevate
 disableSecurity
 destroyself
 hidfile
 uninstall
 post – send information on specific port and host (139.180.152.57:6666)
 information – get information about pc (username, computername, etc.)
 getCountry
 botcontrol
 upstart – modify registry “HKEY_LOCAL_MACHINE\\software\\microsoft\\windows
\\currentversion\\run\\”
 avcek – antivirus check
 security
 getDate
 instance
 UnZip
 sitedownloader
 download – download from 139.180.152.57:6666
 updatestatus
 upload

3
 cmdshell
 enumprocess
These functions show us that malicious code, on executing receives full access of pc.

2. Malicious exe

Image 4 – Check information about file


Here we see “UPX1”, this mean that exe is packed, and we don’t have much information about
it. We can’t unpack it, but we can set a breakpoint and see all strings with unpacked information.

Image 5 – Information from debugger

4
3. patchme
We need to patch this file to show “good job”.

Image 6 – patchme execution

Open file with “Ghidra” and find main function:

Image 7 – Ghidra editor

Here find “if” operator that is represented by “jnz”, and modify it to “jz” (75 to 74).

Image 8 – patched file

Now the file its patched.

You might also like