CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub
18 March 2021

Ghidra 101 & OSINT Research

by Coleman Kane

LAB03: Ghidra 101 & OSINT Research

You learned some information about online research relating to malware during January, and then more recently we have introduced Ghidra. This lab will have you perform some analysis in Ghidra to answer some questions about a particular malware artifact, and then you’ll be asked to do some research online to gather more information about it.


  1. What is the memory address of the beginning of the entry point?
  2. Which of the program-specific functions (the ones marked with FUN_) is probably the “main()” function?
  3. The program fetches an HTTP URL, what is that URL?
  4. From within which function does the program call the Windows API function WinExec?
  5. According to Microsoft’s own documentation, what does WinExec do?
  6. This particular malware sample is old and well known, find at least one report in open source (OSINT) research that discussed the activity related to it. Cite URL(s)
  7. Provide a tool name that is used to describe this particular malware sample, cite reference URL.
  8. There was a malicious operator group that used this malware. Provide at least one name they have been given in public reporting, cite reference URL.


tags: malware assignment