Question
Question 1
Download additional_samples.zip from this module's resources (available at the upper right corner) and transfer the .zip file to this section's target. Unzip additional_samples.zip (password: infected) and use IDA to analyze orange.exe. Enter the registry key that it modifies for persistence as your answer. Answer format: SOFTWARE____
Analyze the subroutine
sub_40A908The function contains several push instructions that push strings onto the stack before doing anything with them:
I used GPT chat to reconstruct this string, and the string represents a Windows registry key path.
Software\\Microsoft\\Windows\\CurrentVersion\\RunQuestion 2
Download additional_samples.zip from this module's resources (available at the upper right corner) and transfer the .zip file to this section's target. Unzip additional_samples.zip (password: infected) and use IDA to analyze orange.exe. Enter the name of the function that is holding the name of the file intrenat.exe that orange.exe drops as your answer. Answer format: sub_4XXXX3
I found the subroutine by analyzing all the functions.
Last updated