User Account

All Pages

Critically compare malware delivery and spreading techniques

Assignment Help Other Subject
Reference no: EM132777761

CTEC5807 Malware Analysis - De Montfort University

Assignment - Malware Investigation

Learning outcome 1: Identify and analyse malware using appropriate procedures, tools and techniques
Learning outcome 2: Interpret and communicate the significance of malware behaviour to decision makers
Learning outcome 3: Distinguish and critically compare malware delivery and spreading techniques
Learning outcome 4: Assess and synthesize the likely impact of a malware infection from its binary

Tasks to be undertaken:

In this coursework, you are expected to: Analyse two specimens of malware and answer questions about the insights gained, detailing your approach with relevant evidence, e.g., screenshots, excerpts of logs, etc.

Part 1: Static and dynamic analysis of an unknown suspicious file
This is the first part of your graded coursework and is worth 50% of your total marks.

Scenario and goal
You have been provided with an unknown file found on a suspected infected machine on your organization's network. The goal is to perform an in-depth analysis of the file to determine its type, infection mechanisms, and document any observable behaviours. After the analysis you will recommend steps to eradicate the malware from all the other systems in your organization that have been infected by the same malware.
Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Environment and tools
Analyse the file "suspicious.file" on a W indows XP virtual machine. The file should be extracted from "suspicious.7z" with the archive password ‘infected'. Please note that this is real malware. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs.

Analysis tasks

1. During malware analysis what steps and precautions should you take to remove the risk of infecting your own system and other systems on the network?

2. What observable features of the file suggest that it may/may not be packed? Document your observations with any applicable tools of your choice.

3. Next, perform a basic static analysis of the malware sample and document your findings. For example, what do the imports and exports tell you about the sample? (Remember, MSDN is your friend) Are there any interesting strings? Can you observe anything suspicious section- wise? If the sample is packed, make sure you unpack it first.

4. Analyse the sample dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped, executed or deleted? (Hint: if you use Regshot in any phase of your analysis, set the right scan directory to ‘C:\'). Support your claims with documentary evidence from tools such as RegShot, Process Monitor, etc.

5. Does the malware exhibit any network-based behaviour? Analyse and document any observable network activities under (a) an isolated environment and (b) with the system connected online (in this exercise it is ok to let the sample talk to the outside world). Document all observable patterns in network activities using appropriate tools and techniques.

6. As a member of the incident response team in your organization you are tasked with the removal of the malware from all systems infected with this same malware. How would you eliminate the malware from an infected system on your network? Outline the steps to be taken in cleaning up the system. Show how you would confirm that the malware has been completely removed by the steps you have taken. (Hint: For example you can use RegShot before and after the clean-up to show that the infection has been removed).

Part 2: Analysis and reverse engineering of a malicious DLL

Scenario and goal
Your friend received an email with an attachment and proceeded to open the email. Without being careful, your friend opened the attachment and is now concerned that the system may be infected.
Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses.

Environment and tools
Analyze the file "malsample.dll" on a Windows XP virtual machine. Extract it from "malsample.7z" with the archive password ‘infected'. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Analysis tasks

1. Your friend receives the file in an email attachment on their windows XP machine and accidentally double clicks the file. Is their system infected? If yes why/how? If no, why not? Explain and support your answer with evidence from dynamic analysis.

2. Perform a basic static analysis of the malware sample and document your findings. What do the imports and exports tell you about the sample? Is the sample packed? Can you observe anything suspicious section-wise?

3. Analyse the sample dynamically and monitor its activities on the system. Outline the steps taken to execute the sample for analysis. What changes do you observe on the host? For example, is anything dropped, executed or deleted? Any other changes to the host observed? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:\). Support your claims with documentary evidence.

4. Under which process is the malicious DLL running? What is the process ID of this process? Document your approach and show how you obtained this information.

5. Describe how you would setup a network analysis environment. Does the malware exhibit any network-based behaviours? Analyse and document any observable network activity in an isolated environment. How does this malware behave network-wise?

6. Reverse engineer the sample with IDA/IDA pro. (a) How many functions are exported by the DLL? (b) What are the addresses of the functions that the DLL exports? (c) How many functions call the kernel32 API LoadLibrary? (d) How many times is the kernel32 API Sleep() called in the DLL? (support your answers with documentary evidence, e.g., screenshots).

7. Navigate to the ServiceMain function. (a) Show the graph view of the function (b) The main subroutine (of the ServiceMain function) jumps to a location where the code calls the kernel32 API Sleep() right after the JZ assembly instruction. What is the value of the parameter used by this Sleep() call?

Attachment:- Malware Investigation.rar

Reference no: EM132777761

Questions Cloud

Summarize how the model is used in the studies : Review the EBP models Chapter 14 in your text book. Summarize how the model is used in the studies. Develop a 2-3-page paper addressing the above.
Why religious traits are often conflated : Why religious traits are often conflated with racial traits?
Find and identify four deficiencies in patricia eklund : Identify at least four deficiencies in Patricia Eklund's participative policy for planning and performance evaluation purposes. For each deficiency identified
Define action research : Define Action Research. How is it similar to Organizational Development (OD) approach?
Critically compare malware delivery and spreading techniques : Identify and analyse malware using appropriate procedures, tools and techniques and Interpret and communicate the significance of malware behaviour to decision
Local train schedules to minimize energy use : Describe how these tools could be used to develop policy for optimizing bus and local train schedules to minimize energy use
Compute what was market risk premium during the ten years : Conglomco has a beta of 0.32. If the market return is expected to be 12 percent and the risk-free rate is 5 percent, what is Conglomco's required return?
What should the role of the church be : What should the role of the church be in helping the needy?
How is the np in the documentary a disruptive innovator : After reviewing The Invisible Patients documentary, define/describe in detail an ethical dilemma that was experienced by the NP. Please note, there are several.

Reviews

Write a Review

Other Subject Questions & Answers

  Explain how your cultural heritage has shaped your values

Ethical Autobiography: First, explain how you think through and determine what is "right" and "wrong" (personally and professionally) in your own daily life. Second, identify four examples of ethical behaviors and explain how your cultural heritag..

  New media on intercultural communication in global context

After reading The Impact of New Media on Intercultural Communication in Global Context, think about the innovations in digital media that have changed

  Health care reform policy alternative to positively

Recommend a health care reform policy alternative to positively impact insurance coverage and financing the delivery of healthcare in this country.

  What if it would hurt a third party

Should defense attorneys pursue the wishes of their clients even if they think it is not in the clients' best interest? What if it would hurt a third party.

  Developing cultural competence

Write a general linking class topics to current issues in the media,your work place or working experience of friends or family

  Why the time period you chose is crucial to understanding

After identifying a historical change or continuity, you will write an introductory paragraph that outlines the historical context, change/continuity.

  Write research proposal about The impact of Health

Write research proposal about The impact of Health Technology Assessment (HTA) in healthcare policymaking

  Perceived benefits for youth who join gangs

How might we as a community turn those perceived benefits around in order to discourage and combat gang membership?

  What is one way to reduce bias in research and reporting

First, view this video: Newly Released Chicago Crime Numbers Raise Questions(3:17). In your opinion, what is one way to reduce bias in research and reporting

  How you completed the major issues you faced

Explain, briefly, how you completed this exercise, the major issues you faced, and how you solved them. Reflect on your experience and what you learned.

  Demographics and epidemiological transitions result in

demographics and epidemiological transitions result in dramatic changes in the health needs of individuals throughout

  Discuss evidence-based practices

What are the challenges of applying evidence-based practices for treating mood disorders

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd