User Account

All Pages

Critically compare malware delivery and spreading techniques

Assignment Help Other Subject
Reference no: EM132777761

CTEC5807 Malware Analysis - De Montfort University

Assignment - Malware Investigation

Learning outcome 1: Identify and analyse malware using appropriate procedures, tools and techniques
Learning outcome 2: Interpret and communicate the significance of malware behaviour to decision makers
Learning outcome 3: Distinguish and critically compare malware delivery and spreading techniques
Learning outcome 4: Assess and synthesize the likely impact of a malware infection from its binary

Tasks to be undertaken:

In this coursework, you are expected to: Analyse two specimens of malware and answer questions about the insights gained, detailing your approach with relevant evidence, e.g., screenshots, excerpts of logs, etc.

Part 1: Static and dynamic analysis of an unknown suspicious file
This is the first part of your graded coursework and is worth 50% of your total marks.

Scenario and goal
You have been provided with an unknown file found on a suspected infected machine on your organization's network. The goal is to perform an in-depth analysis of the file to determine its type, infection mechanisms, and document any observable behaviours. After the analysis you will recommend steps to eradicate the malware from all the other systems in your organization that have been infected by the same malware.
Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Environment and tools
Analyse the file "suspicious.file" on a W indows XP virtual machine. The file should be extracted from "suspicious.7z" with the archive password ‘infected'. Please note that this is real malware. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs.

Analysis tasks

1. During malware analysis what steps and precautions should you take to remove the risk of infecting your own system and other systems on the network?

2. What observable features of the file suggest that it may/may not be packed? Document your observations with any applicable tools of your choice.

3. Next, perform a basic static analysis of the malware sample and document your findings. For example, what do the imports and exports tell you about the sample? (Remember, MSDN is your friend) Are there any interesting strings? Can you observe anything suspicious section- wise? If the sample is packed, make sure you unpack it first.

4. Analyse the sample dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped, executed or deleted? (Hint: if you use Regshot in any phase of your analysis, set the right scan directory to ‘C:\'). Support your claims with documentary evidence from tools such as RegShot, Process Monitor, etc.

5. Does the malware exhibit any network-based behaviour? Analyse and document any observable network activities under (a) an isolated environment and (b) with the system connected online (in this exercise it is ok to let the sample talk to the outside world). Document all observable patterns in network activities using appropriate tools and techniques.

6. As a member of the incident response team in your organization you are tasked with the removal of the malware from all systems infected with this same malware. How would you eliminate the malware from an infected system on your network? Outline the steps to be taken in cleaning up the system. Show how you would confirm that the malware has been completely removed by the steps you have taken. (Hint: For example you can use RegShot before and after the clean-up to show that the infection has been removed).

Part 2: Analysis and reverse engineering of a malicious DLL

Scenario and goal
Your friend received an email with an attachment and proceeded to open the email. Without being careful, your friend opened the attachment and is now concerned that the system may be infected.
Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses.

Environment and tools
Analyze the file "malsample.dll" on a Windows XP virtual machine. Extract it from "malsample.7z" with the archive password ‘infected'. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Analysis tasks

1. Your friend receives the file in an email attachment on their windows XP machine and accidentally double clicks the file. Is their system infected? If yes why/how? If no, why not? Explain and support your answer with evidence from dynamic analysis.

2. Perform a basic static analysis of the malware sample and document your findings. What do the imports and exports tell you about the sample? Is the sample packed? Can you observe anything suspicious section-wise?

3. Analyse the sample dynamically and monitor its activities on the system. Outline the steps taken to execute the sample for analysis. What changes do you observe on the host? For example, is anything dropped, executed or deleted? Any other changes to the host observed? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:\). Support your claims with documentary evidence.

4. Under which process is the malicious DLL running? What is the process ID of this process? Document your approach and show how you obtained this information.

5. Describe how you would setup a network analysis environment. Does the malware exhibit any network-based behaviours? Analyse and document any observable network activity in an isolated environment. How does this malware behave network-wise?

6. Reverse engineer the sample with IDA/IDA pro. (a) How many functions are exported by the DLL? (b) What are the addresses of the functions that the DLL exports? (c) How many functions call the kernel32 API LoadLibrary? (d) How many times is the kernel32 API Sleep() called in the DLL? (support your answers with documentary evidence, e.g., screenshots).

7. Navigate to the ServiceMain function. (a) Show the graph view of the function (b) The main subroutine (of the ServiceMain function) jumps to a location where the code calls the kernel32 API Sleep() right after the JZ assembly instruction. What is the value of the parameter used by this Sleep() call?

Attachment:- Malware Investigation.rar

Reference no: EM132777761

Questions Cloud

Summarize how the model is used in the studies : Review the EBP models Chapter 14 in your text book. Summarize how the model is used in the studies. Develop a 2-3-page paper addressing the above.
Why religious traits are often conflated : Why religious traits are often conflated with racial traits?
Find and identify four deficiencies in patricia eklund : Identify at least four deficiencies in Patricia Eklund's participative policy for planning and performance evaluation purposes. For each deficiency identified
Define action research : Define Action Research. How is it similar to Organizational Development (OD) approach?
Critically compare malware delivery and spreading techniques : Identify and analyse malware using appropriate procedures, tools and techniques and Interpret and communicate the significance of malware behaviour to decision
Local train schedules to minimize energy use : Describe how these tools could be used to develop policy for optimizing bus and local train schedules to minimize energy use
Compute what was market risk premium during the ten years : Conglomco has a beta of 0.32. If the market return is expected to be 12 percent and the risk-free rate is 5 percent, what is Conglomco's required return?
What should the role of the church be : What should the role of the church be in helping the needy?
How is the np in the documentary a disruptive innovator : After reviewing The Invisible Patients documentary, define/describe in detail an ethical dilemma that was experienced by the NP. Please note, there are several.

Reviews

Write a Review

Other Subject Questions & Answers

  Cross-cultural opportunities and conflicts in canada

Short Paper on Cross-cultural Opportunities and Conflicts in Canada.

  Sociology theory questions

Sociology are very fundamental in nature. Role strain and role constraint speak about the duties and responsibilities of the roles of people in society or in a group. A short theory about Darwin and Moths is also answered.

  A book review on unfaithful angels

This review will help the reader understand the social work profession through different concepts giving the glimpse of why the social work profession might have drifted away from its original purpose of serving the poor.

  Disorder paper: schizophrenia

Schizophrenia does not really have just one single cause. It is a possibility that this disorder could be inherited but not all doctors are sure.

  Individual assignment: two models handout and rubric

Individual Assignment : Two Models Handout and Rubric,    This paper will allow you to understand and evaluate two vastly different organizational models and to effectively communicate their differences.

  Developing strategic intent for toyota

The following report includes the description about the organization, its strategies, industry analysis in which it operates and its position in the industry.

  Gasoline powered passenger vehicles

In this study, we examine how gasoline price volatility and income of the consumers impacts consumer's demand for gasoline.

  An aspect of poverty in canada

Economics thesis undergrad 4th year paper to write. it should be about 22 pages in length, literature review, economic analysis and then data or cost benefit analysis.

  Ngn customer satisfaction qos indicator for 3g services

The paper aims to highlight the global trends in countries and regions where 3G has already been introduced and propose an implementation plan to the telecom operators of developing countries.

  Prepare a power point presentation

Prepare the power point presentation for the case: Santa Fe Independent School District

  Information literacy is important in this environment

Information literacy is critically important in this contemporary environment

  Associative property of multiplication

Write a definition for associative property of multiplication.

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd