User Account

All Pages

Analyse the sample dynamically and monitor its activities

Assignment Help Other Subject
Reference no: EM133589758 , Length: word count:3000

Learning outcome 1: Identify and analyse malware using appropriate procedures, tools and techniques
Learning outcome 2: Interpret and communicate the significance of malware behaviour to decision makers
Learning outcome 3: Distinguish and critically compare malware delivery and spreading techniques
Learning outcome 4: Assess and synthesize the likely impact of a malware infection from its binary

Part 1: Static and dynamic analysis of an unknown suspicious files

You have been provided with a set of unknown files found on a suspected infected machine on your organization's network. The goal is to perform in-depth analysis of the files and document any observable characteristics and/or behaviours.

Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Environment and tools

Analyze the set of PDF files zipped within the "cw_pdf_files.7z" in a REMnux environment using appropriate tools. The password for unzipping is ‘infected'. Also, analyse the file "suspicious.file" on a Windows XP virtual machine. The file should be extracted from "suspicious.7z" with the archive password ‘infected'.

Please note that these are real malware. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lectures slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs.

Analysis tasks

1. Retrieve the three PDF documents from the "cw_pdf_files.7z" archive file. Perform a comprehensive analysis of the three files and present your findings, drawing conclusions as to whether or not each of the files may be a malicious PDF document.

2. Retrieve "suspicious.file" from the archive zipped file. How would you confirm what type of file it is? What observable features of the file suggests that it may/may not be packed? Document your observations with any applicable tools of your choice.

3. Next, perform a basic static analysis of the malware sample (suspicious.file) and document your findings. For example, what do the imports and exports tell you about the sample? (Remember, MSDN is your friend) Are there any interesting strings? Can you observe anything suspicious section-wise? If the sample is packed, make
sure you unpack it first.

4. Analyse the sample dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped, executed or deleted? (Hint: if you use Regshot in any phase of your analysis, set the right scan directory to ‘C:\'). Support your claims with documentary evidence from tools such as RegShot, Process Monitor, etc.

5. Does the malware exhibit any network-based behaviour? Analyse and document any observable network activities under (a) an isolated environment and (b) with the system connected online (in this exercise it is ok to let the sample talk to the outside world). Document all observable patterns in network activities using appropriate tools and techniques. [10 marks] Presentation: organization, readability, references etc.

Part 2: Analysis and reverse engineering of a malicious DLL

This is the second part of your graded coursework and is worth 50% of your total marks. Scenario and goal

Your friend received an email with an attachment and proceeded to open the email. Without being careful, your friend opened the attachment and is now concerned that the system may be infected.

Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses.

Environment and tools
Analyze the file "malsample.dll" on a Windows XP virtual machine. Extract it from "malsample.7z" with the archive password ‘infected'. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Analysis tasks

1. Your friend receives the file (malsample.dll) in an email attachment on their windows XP machine and accidentally double clicks the file. Is their system infected? If yes why/how? If no, why not? Explain and support your answer with evidence from
dynamic analysis.

2. Perform a basic static analysis of the malware sample and document your findings. What do the imports and exports tell you about the sample? Is the sample packed? Can you observe anything suspicious section-wise?

3. Analyse the sample dynamically and monitor its activities on the system. Outline the steps taken to execute the sample for analysis. What changes do you observe on the host? For example, is anything dropped, executed or deleted? Any other changes to the host observed? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:\). Support your claims with documentary evidence.

4. Under which process is the malicious DLL running? What is the process ID of this process? Document your approach and show how you obtained this information.

5. Describe how you would setup a network analysis environment. Does the malware exhibit any network-based behaviours? Analyse and document any observable network activity in an isolated environment. How does this malware behave network- wise?

6. Reverse engineer the sample with IDA/IDA pro. (a) How many functions are exported by the DLL? (b) What are the addresses of the functions that the DLL exports? (c) How many functions call the kernel32 API LoadLibrary? (d) How many times is the kernel32 API Sleep() called in the DLL? (support your answers with documentary evidence, e.g., screenshots).

7. Navigate to the ServiceMain function. (a) Show the graph view of the function (b) The main subroutine (of the ServiceMain function) jumps to a location where the code calls the kernel32 API Sleep() right after the JZ assembly instruction. What is the value of the parameter used by this Sleep() call?

8. Presentation: organization, readability, references etc.

 

Reference no: EM133589758

Questions Cloud

Describe the evolution of terrorist organization involved : Describe the evolution of the terrorist organization involved in the attack. Be sure to consider the global historical attacks, policies, or decisions that led
Brief overview of the study population and sample/sampling : How they measured key variables, including question items of latent concepts and the related Cronbach's alphas. Key outcomes (outcomes are generally discuss
Determine how each of the theories related to, or helped to : determine how each of the theories related to, or helped to explain change. You will now apply your learning to a current event of change.
What is your reaction to ellis and chance approach : What is your reaction to Ellis and Chance's approach to problem behavior? Think of anyone you know, a child, friend, sibling, even yourself.
Analyse the sample dynamically and monitor its activities : Analyse the sample dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped
Describe theories of language development : Describe theories of language development.Describe theories of cognitive development, learning and memory.
Discuss your termination process with individuals : Discuss your termination process with individuals, family systems, groups, organizations and communities. Identify how you will approach termination with each?
How does the event connect to what we studied : How does this event connect to what we studied? Clearly state how it relates to specific topics, terms, or themes from the course (100 words minimum).
Tpes of assessment and the purposes : Describe the differences between these types of assessment and the purposes of each.

Reviews

Write a Review

Other Subject Questions & Answers

  Compose a short professional services contract

What items and issues should be included in the contract and Compose a short professional services contract that your company can use on the documentary project

  What aristotle referred to as the first philosophy

What Aristotle referred to as the "first philosophy" and studies the most basic issues. The word philosophy derives from two ancient Greek words: philia, which means love, and sophia, which means wisdom.

  AQ017-3-1-APROM Advanced Probability Models Assignment

AQ017-3-1-APROM Advanced Probability Models Assignment Help and Solution - Asia Pacific University of Technology & Innovation - Assessment Writing Service

  How well the engineering unit meets its productivity goals

Institute flexible pay grades based on how well the engineering unit meets its productivity goals. Establish a different pay grade for individual employees.

  How does the idea and the ada impact the practice

How does the IDEA and the ADA impact the practice of behavior analysis? How does the IDEA and ADA impact your planned future professional practice

  Differences between machine learning and deep learning

Discuss the process that generates the power of AI and discuss the differences between machine learning and deep learning. The response must be typed.

  How leaders might manage tactical and strategic intervention

Change implementation varies from one organization to another. Propose how leaders might manage tactical and strategic interventions for the implementation.

  In what ways has his research been criticized

In what ways has his research been criticized? What are some ways in which persuasion can be connected to social welfare and social change?

  Determine which key areas provides competitive advantage

Compare and contrast each sector of the framework and determine which key areas provides a competitive advantage.

  Why would the child present an increased pulse rate

Why did Jenny initially suspect that the child and other family members were experiencing food poisoning? Upon further evaluation on the second day.

  Child abuse reporting can take its toll on counselor

Child abuse reporting can take its toll on the counselor, particularly if the family or client involved is volatile.

  Model minority myth true

Asian American families have been touted as a "model minority." What does this term mean? Stereotypes can be both true and false in some respects. In what ways is the model minority myth true, and in what ways is it false?

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd