Reverse Engineering: Injection Series Part 4 is hosted on Blue Team Labs. You can use any disassembler you like to complete this challenge. The challenge asks to find out the first spawning process by a malware file and API used to spawn the process.
Table of contents
BTLOQuestion 1) What is the process that would be first spawned by the sample? And what is the API used? (Format: Format: process, API Call) (1 Point)Question 2) The value 4 has been pushed as a parameter to this API, what does that denote? (Format: FLAG) (1 points)Question 3) What is the domain that the malware tries to connect? (Format: domain.tld) (1 points)Question 4) What is the cmdlet used to download the file and what is the path of the file stored? (Format: CMDLET, path) (1 points)Question 5) Just after the file download instructions, a function from ntdll has been loaded and invoked by the sample. What is the function name? (Format: Function) (2 points)Question 6) After the allocation of memory and writing the date into the allocated memory. What are the 2 APIs used to update the entry point and resume the thread? (Format: API, API) (2 points)Question 7) What is the MITRE ID for this technique implemented in this sample? (Format: TXXXX.XXX)Sort: