Analyze malware using appropriate procedures

Assignment Help Computer Networking
Reference no: EM132615237 , Length: word count:5000

CTEC5807 Malware Analysis - De Montfort University

Assignment - Malware Investigation

Learning outcome 1. Identify and analyze malware using appropriate procedures, tools and techniques
Learning outcome 2. Interpret and communicate the significance of malware behavior to decision makers
Learning outcome 3. Distinguish and critically compare malware delivery and spreading techniques
Learning outcome 4. Assess and synthesize the likely impact of a malware infection from its binary

In this coursework, you are expected to:

Analyze two specimens of malware and write a report answering set of questions about the insights gained and detailing your approach with relevant evidence (e.g. screenshots, excerpts of logs, etc.)

Part 1: Basic malware analysis

Scenario and goal

This is part 1 of the graded exercise. It is worth 50% of your total grade. Every question is worth 5 points, for an exercise total of 50.
In this scenario, an acquaintance was e-mailed a suspicious attachment and wants to know if it is malicious. He already opened the file and was surprised to see a foreign-language sentence. Now he is concerned that he is infected with malware.
Answer all the questions below and write a full report. If you want to work in pairs, identify both authors on the report cover sheet and upload it twice.

Environment & tools

Statically and dynamically analyze the unzipped sample "29-10-2014_Quittung.rtf" on a Windows XP SP3 virtual machine. The archive password is "infected". Please note that this is real malware.

Which tools to use is completely up to you. In malware analysis, there is rarely only one "right" path. Be creative! Still, I suggest you look at previous exercises and pick whatever tools you deem appropriate.

For this exercise, it okay to let the sample talk to the outside world. Before you do that, however, it is recommended to simulate internet communication (also see lab exercise "Combined dynamic analysis") and determine beforehand if it is safe.

Analysis tasks

Task 1. Analyze the social engineering component of the malware. Translate it. How does it try to get people to execute it?

Task 2. Your friend has already opened the document attachment. What happened? Is his machine already infected? Find proof for/Argue your answer!

Task 3. Extract the core malware and document the steps.

Task 4. Perform a basic static analysis of the sample and document your findings. Is it packed? What do the imports and exports tell you? Do you see anything suspicious section- wise? Interesting strings? Remember: MSDN is your friend!

Task 5. Analyze the sample dynamically and monitor the activity on the system. What changes? Is anything dropped, executed or deleted? If you use Regshot, be careful to set the right scan directory (C:)!

Task 6. Can you find indicators for sandbox or VM detection? What can you do to circumvent it? Restart your analysis after taking care of the anti-analysis technique(s).

Task 7. Try to find out what the sample is about to do network-wise and set up an appropriate fake environment. What is happening?

Task 8. What are the sample's runtime dependencies? What is it trying to download? Try to play along and set up the environment it wants and determine what the malware needs the additional software for.

Task 9. Extract and document all relevant IP addresses that are or might be contacted (static and dynamic analysis) and determine domain ownership.

Task 10. If you satisfied all the sample's requirements (i.e. installed all the components it needs) the malware will alter your system's configuration. What is happening? Hint: Certificates.

Part 2: Ransomware disassembly

Scenario and goal
This is part 2 of the graded exercise. It is worth 50% of your total grade. Every question is worth 5 points, for an exercise total of 50.
In this scenario, your company's CFO was victim of a crypto locker, losing all her precious holiday photos. She comes to you in hopes that you'll be able to help her recover her files without paying the ransom. The incident response team has already located the malicious sample and provides you with both the malware and an encrypted sample that needs to be recovered at all costs.
Answer all the questions below and write a full report. If you want to work in pairs, identify both authors on the report cover sheet and upload it twice.

Environment & tools
Analyze the sample "cryptolock.exe" on a Windows virtual machine. The archive password is "infected".
Which tools to use is completely up to you. In malware analysis, there is rarely only one "right" path. Be creative and know when to stop. With disassembly, you will see many functions that will not yield any useful answers.
For this exercise, it okay to let the sample talk to the outside world. Before you do that, however, it is recommended to simulate internet communication (also see lab exercise "Combined dynamic analysis") and determine beforehand if it is safe.
The questions below provide hints about the technical backgrounds and recommended MO.

Analysis tasks

Task 1. Perform a basic static analysis of the sample and document your findings. Is it packed? What do the imports and exports tell you? Do you see anything suspicious section- wise? Interesting strings?

Task 2. Attempt to execute the sample and use basic dynamic analysis tools to determine whether the sample causes damage to the system. Can the sample be executed as is? If yes, what happens? If no, why not?

Task 3. Load the sample into IDA and attempt to locate the "main" function (which is not necessarily called this way). You will see a lot of exit conditions that will terminate the program when run. Where is the main function? Highlight it and expand it.

Task 4. Document and interpret what's going on in the sample's main method. It helps to rename functions whose purpose you have identified. Which function calls can you identify and name? Hint: Pseudocode might help (there is an IDA plugin for that!). You might also want to return to/continue this part of the exercise later during task 9.

Task 5. What parameters does the sample need to function? What are their types (integer, string, etc.)? Combine fuzzing with disassembly (i.e. supply likely parameters and see what happens and also locate the spot in the code where the parameters are defined).

Task 6. Armed with the correct parameters, use the crypto locker on some files of your choice and document what's happening (return to dynamic analysis). How is the malware altering the test files (use hex editor)?

Task 7. It can be assumed that the ransomware first reads the file, change its contents, and then writes the new version to a file. One possible analysis approach can be to "follow" the source (victim) file through the encryption process. A combined approach is most promising: Use Procmon to monitor file accesses while running a debugger to locate the corresponding functionality in the code. Where are the read/write operations located in the code?

Task 8. It is time to determine the kind of encryption that is being used by the sample. Download and use the tool "signsrch" to get an idea of what is happening. Which crypto algorithm does the malware utilize?

Task 9. What is the key for the encryption process? Where does the crypto locker get it from? How is it processed within the malware and where does it end up?

Task 10. Now that you know what kind of encryption is being used on the files, use a tool of your choice (e.g. online tools, GitHub apps, self- coded approach) to decrypt the CFO's file. Document the steps and the final (decrypted) result!

If you fail to decrypt the desired file, document the process with a file of your choice (where you know the key) for half the points of this item.

Reference no: EM132615237

Questions Cloud

Find acceleration of system and set up hamilton equations : A block of mass m1 rests on a frictionless horizontal plane, this is pulled by a string of negligible mass is attached to hanging block of mass m2
Has child protective services run its course : Has Child Protective Services "run its course" like some critics suggest? Or should it be revamped? How would you revamp such a service?
Determine what rate of interest is implicit in the agreement : On 1 July 2019, Bronzed Aussie Ltd sells a caravan to Cairns Ltd. Determine what rate of interest is implicit in the agreement
Is enough evidence to support the claim : Is enough evidence to support the claim at a of 0.01? Assume the population is normally distributed. A coach claims that all players can run more than 1.5 miles
Analyze malware using appropriate procedures : Identify and analyze malware using appropriate procedures, tools and techniques and Distinguish and critically compare malware delivery and spreading techniques
How can a business use target costing to reduce costs : How can a business use target costing to reduce costs and plan profits? What is value-engineering, and what role does it play in target costing?
Identify the theory you intend to use : Identify the theory you intend to use and give a short explanation of the theory. Explain how it applies to the case of the juvenile identified in the original.
Determining the direction of motion of the object : Describe a few examples in which the force of friction exerted on an object is in the direction of motion of the object.
Determine the amount of impairment loss : Determine the amount of impairment loss, assume that (1) the estimated remaining useful life is 10 years, (2) the estimated annual cash flows are $2,724,020



8/29/2020 3:13:32 AM

Hello team, This is new coursework called Malware analysis. I have attached PDF question paper in which all details are mentioned clearly. Request to check properly and let me know if you have any questions. As this is important coursework I request to make this with best results. Attaching respective zip files for investigating the malware files. Thanks.

Write a Review

Computer Networking Questions & Answers

  Networking and types of networking

This assignment explains the networking features, different kinds of networks and also how they are arranged.

  National and Global economic environment and ICICI Bank

While working in an economy, it has a separate identity but cannot operate insolently.

  Ssh or openssh server services

Write about SSH or OpenSSH server services discussion questions

  Network simulation

Network simulation on Hierarchical Network Rerouting against wormhole attacks

  Small internet works

Prepare a network simulation

  Solidify the concepts of client/server computing

One-way to solidify the concepts of client/server computing and interprocess communication is to develop the requirements for a computer game which plays "Rock, Paper, Scissors" using these techniques.

  Identify the various costs associated with the deployment

Identify the various costs associated with the deployment, operation and maintenance of a mobile-access system. Identify the benefits to the various categories of user, arising from the addition of a mobile-access facility.

  Describe how the modern view of customer service

Describe how the greater reach of telecommunication networks today affects the security of resources which an organisation provides for its employees and customers.

  Technology in improving the relationship building process

Discuss the role of Technology in improving the relationship building process Do you think that the setting of a PR department may be helpful for the ISP provider? Why?

  Remote access networks and vpns

safekeeping posture of enterprise (venture) wired and wireless LANs (WLANs), steps listed in OWASP, Securing User Services, IPV4 ip address, IPV6 address format, V4 address, VPN, Deploying Voice over IP, Remote Management of Applications and Ser..


problems of IPV, DNS server software, TCP SYN attack, Ping of Death, Land attack, Teardrop attack, Smurf attack, Fraggle attack

  Outline the difference between an intranet and an extranet

Outline the difference between an intranet and an extranet A programmer is trying to produce an applet with the display shown in Figure 1 below such that whenever one of the checkboxes is selected the label changes to indicate correctly what has..

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd