Lab 1-1

This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below.

1) Upload the files to and view the reports. Does either file match any existing antivirus signatures?

File name: Lab01-01_exe

SHA256: 58898bd42c5bd3bf9b1389f0eee5b39cd59180e8370eb9ea838a0b327bd6fe47


File name: Lab01-01.dll

SHA256: f50e42c8dfaab649bde0398867e930b86c2a599e8db83b8260393082268f2dba


2) When were these files compiled?

Lab01-01.exe: Sun Dec 19 16:16:19 2010


Lab01-01.dll: Sun Dec 19 16:16:38 2010


3) Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?

No, there’s no indication that either of these files is packed or obfuscated. PEid didn’t report the existence of any packer, both files have a reasonable amount of strings and imports.

4) Do any imports hint at what this malware does? If so, which imports are they?


FindFirstFileA and FindNextFileA give us the indication that this Malware might be looking for files.

CreateFileA suggests that this Malware might create/open files.


CreateProcessA gives the information that this Malware will probably create a Process.

The Malware imports functions from WS2_32.dll such as socket, connect, send, recv and closesocket which suggests that this Malware might communicate with a server.

Also, the Sleep import might indicate that the Malware might wait some time before executing any malicious activity.

5) Are there any other files or host-based indicators that you could look for on infected systems?


This file has the string C:\windows\system32\kerne123.dll. This is an attempt to disguise this DLL as the legit kernel32.dll.


There are no indicators.

6) What network-based indicators could be used to find this malware on infected machines?


There are no indicators.


There’s a string containing an IP Address:

7) What would you guess is the purpose of these files?


The purpose is to probably install or run the DLL.


Probably a backdoor.