Practical Malware Analysis: Lab 1-3

August 27, 2017 - 3 minute read -
malware analysis practical-malware-analysis reverse-engineering

This is my analysis of the malware for Lab01-03 from the Practical Malware Analysis book exercises.


The Lab 1-3 malware that is to be analyized using basic static analysis techniques consists of the file Lab01-03.exe.

The following are the tasks required to complete the lab exercise:

Basic Static Analysis


Upload the Lab01-03.exe file to Does it match any existing antivirus definitions?

Lab01-03.exe Virus Total

According to VirusTotal this malware has been seen before.

Packed or Obfuscated?

Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible.


We can start with strings to see how many legible strings can be found in the executable:

PS C:\Users\Brett\Desktop\Practical Malware Analysis Labs\BinaryCollection\Chapter_1L> strings Lab01-03.exe

Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals -

!Windows Program

.. snip ..

Running strings seems to only reveal a few strings including LoadLibraryA and GetProcAddress. Since these functions are often called in packed malware and there are few other legible strings, it is looking like this malware may be packed.


When we run the executable through PEid we find that PEid has detected the executable to be packed with fsg 1.0 dulek/xt.

Lab01-03.exe PEid


Running the executable through PEView also leads us to suspect packing as the normal “.text”, “.rdata”, etc. sections are not present. Instead the sections are just called “SECTION”. “Virtual Size” and “Raw Data Size” of the sections are also different in significant amounts seeming to indicate that the executable will expand the malware at runtime.

Lab01-03.exe PEview


Opening the executable in IDAPro warns that this executable seems to be packed or obfuscated:

Lab01-03.exe IDAPro


Practical Malware Analysis has not taught how to deal with unpacking fsg 1.0 dulek/xt at this point. A little googling seems to indicate that some manual processes will be necessary. The process is not as straightforward as just running an un-pack command like with upx. I may attempt some of these manual processes at some point in the future but I am going to leave that alone for now as the book has not covered it.

Imports Hint at Functionality?

Because the only imports that are able to be viewed are LoadLibraryA and GetProcAddress, a good idea of the functionality can not be gleaned at this point.

Host- or Network-Based Indicators?

Because no legible strings can be found that would point toward host or network based indicators it is not possible to find any good indicators of this malware at this point.


This concludes the analysis of the third malware of Lab 1 from the Practical Malware Analysis book. A curve ball was thrown with this malware utilizing a packer that is not covered in the book. After looking at the appendix answers for this exercise, everything that could be learned about this malware without knowledge of unpacking fsg 1.0 has been learned. The appendix says that the techniques for further dealing with this malware will be covered in chapter 18. I’ll update this article if I take a stab at researching and trying to unpack it myself before getting to chapter 18.