User Account

All Pages

CTEC3317 Malware Analysis Assignment

Assignment Help Computer Network Security
Reference no: EM132460573

CTEC3317 Malware Analysis - De Montfort University

Assignment - Malware Investigation

Learning Outcomes:

LO 1. Identify and analyse malware using appropriate procedures, tools and techniques

LO 2. Interpret and communicate the significance of malware behaviour to decision makers

LO 3. Distinguish and critically compare malware delivery and spreading techniques

LO 4. Assess and synthesize the likely impact of a malware infection from its binary

Tasks :

Analyse two specimens of malware and answer questions about the insights gained, detailing your approach with relevant evidence (e.g. screenshots, excerpts of logs, etc.)

Section 1: Static and dynamic analysis of an unknown suspicious file

Scenario and goal

You have been provided with an unknown file found on a suspected infected machine on your organization's network. The goal is to perform an in-depth analysis of the file to determine its type, infection mechanisms, and document any observable behaviours. After the analysis you will recommend steps to eradicate the malware from all the other systems in your organization that have been infected by the same malware.

Environment and tools

Analyse the file "suspicious.file" on a Windows virtual machine. The file should be extracted from "suspicious.7z" with the archive password ‘infected'. Please note that this is real malware. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs.

Analysis tasks

Question 1. What type of file is the suspicious program? How do you determine its type? Document the method you used or steps you took to identify the type of file. Can the program be run as it is? If not, explain what would you do to make it execute? [5 marks]

Question  2. Now that you've determined how to make it execute for analysis, is the malware packed? What observable features of the file suggest that it may/may not be packed? Document your observations with any applicable tools of your choice. [5 marks]

Question 3. Next, perform a basic static analysis of the malware sample and document your findings. For example, what do the imports and exports tell you about the sample? (Remember, MSDN is your friend) Are there any interesting strings? Can you observe anything suspicious section- wise? If the sample is packed, make sure you unpack it first. [6 marks]

Question 4. Analyse the sample dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped, executed or deleted? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. ‘C:\') Support your claims with documentary evidence. [8 marks]

Question 5. Is the malware sample persistent? If yes, how does it achieve its goal of being persistent on the system? What corroborating observations can you put forth from your analysis that the malware is persistent? Provide evidence of the sample's persistence on the system (use appropriate tools to investigate).

Question 6. Does the malware exhibit any network based behaviours? Analyse and document any observable network activity under (a) an isolated environment and (b) with the system connected online (in this exercise it is ok to let the sample talk to the outside world). Document all observable traffic/network activity patterns using appropriate tools and techniques.

Question 7. As a member of the incident response team in your organization you are tasked with the removal of the malware from all systems infected with this same malware. How would you eliminate the malware from an infected system on your network? Outline the steps to be taken in cleaning up the system. Show how you would confirm that the malware has been completely removed by the steps you have taken.

Section 2: Analysis and reverse engineering of a malicious DLL

Scenario and goal

Your friend received an email with an attachment and proceeded to open the email. Without being careful, your friend opened the attachment and is now concerned that the system may be infected.

Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses.

Environment and tools
Analyze the file "malsample.dll" on a Windows virtual machine. Extract it from "malsample.7z" with the archive password ‘infected'. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Analysis tasks

Question 1. Your friend receives the file in an email attachment on their windows XP machine and accidentally double clicks the file. Is their system infected? If yes why/how? If no, why not? Explain and support your answer with evidence from dynamic analysis.

Question 2. Analyse the sample dynamically and monitor its activities on the system. Outline the steps taken to execute the sample for analysis. What changes do you observe on the host? For example, is anything dropped, executed or deleted? Any other changes to the host observed? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:\). Support your claims with documentary evidence.

Question 3. Under which process is the malicious DLL running? What is the process ID of this process? Document your approach and show how you obtained this information.

Question 4. Does the malware exhibit any network-based behaviours? Analyse and document any observable network activity in an isolated environment. How does this malware behave network- wise?

Question 5. Reverse engineer the sample with IDA/IDA pro. (a) How many functions are exported by the DLL? (b) What are the addresses of the functions that the DLL exports? (c) How many functions call the kernel32 API LoadLibrary function? (d) How many times is the kernel32 API Sleep() function called in the DLL? (support your answers with documentary evidence e.g. screenshots)

Question 6. Navigate to the ServiceMain function. (a) Show the graph view of the function (b) The main subroutine (of the ServiceMain function) jumps to a location where the code calls the kernel32 API Sleep() function right after the JZ assembly instruction. What is the value of the parameter used by this Sleep() function?

Question 7. Malware analysts sometimes need to patch an executable in order to alter its behaviour, especially when the malware uses evasive techniques. The parameter used in the Sleep function (referred to in question 6) provides a time delay after which the main sub-routines are called to perform network operations that generate traffic. Permanently patch the DLL to remove the delay so that the network activity begins without any delay i.e. immediately after the DLL is executed. Document the steps taken.

Question 8. Run the DLL again and confirm that your patch has removed the delay. Document the activity and present the evidence showing that the delay in sending network traffic has been removed.

Attachment:- Malware Analysis.rar

Reference no: EM132460573

Questions Cloud

What is the project average accounting return : You're trying to determine whether or not to expand your business by building a new manufacturing plant. The plant has an installation cost of $20.2 million
What is the company''s free cash flow for the year : Miami Rivet had $12 million in net plant and equipment the prior year. Its net operating working capital has remained constant over time.
What is the profitability index for the cash flows : Consider the following cash flows: [ year 0 -$29,900 ; year 1 $13,800 ; year 2 $15,100 ; year 3 $11,500].
Prepare a schedule showing the computation : Prepare a schedule showing the computation of the 12/31/18 inventory under the LIFO retail method adjusted for price level changes
CTEC3317 Malware Analysis Assignment : CTEC3317 Malware Analysis Assignment Help and Solution, De Montfort University - Assessment Writing Service - Identify and analyse malware using appropriate
Identify the data attributes given slaintes request : Given Slainte's request, identify the data attributes and tables needed to answer the question,how many of each product were sold.
What is the project payback period if the initial cost : An investment project provides cash inflows of $1,375 per year for eight years. A) What is the project payback period if the initial cost is $4,300?
What is the market value of the firms equity : CleanSweep has 2 million shares of common stock outstanding at a book value of $2 per share. The stock trades for $4.00 per share
Does bieler want delirion to increase or decrease : Does Bieler want Delirion to increase or decrease the estimated percentage completion? Explain why. what will be the cost of goods sold for the year?

Reviews

Write a Review

Computer Network Security Questions & Answers

  What is utc and why is it used

How they are syncronised and why do they need to be syncronised and what is UTC and why is it used?

  Star topology network

Explain the main advantages and disadvantages of a STAR topology network. In your own words, described the functional differences between a bridge and a gateway. Give an example of each.

  Write about a sophisticated computer or network

The goal of the Final Project is to research and write about a sophisticated computer/network intrusion set/event(s) that have occurred in the recent past, of which I will give you three options. The details on the intrusion set and the attack of ..

  Denote the des encryption of the plain text

Find another key that also has this property, and explain the structure of the DES key schedule that permit such keys to exist.

  Discuss the considerations that should come into play

Discuss the considerations that should come into play when deciding on locations for wireless NIDS sensors.

  Distinguish a digital signature and a handwritten signature

What are the similarities between a digital signature and a handwritten signature? Is a 128-bit hash no longer sufficient for integrity checks?

  Demonstrate how security can be instilled within the sdlc

How security can be instilled within the Systems Development Life Cycle (SDLC). Provide two examples on what users may experience with software products if they are released with minimal security planning.

  Evaluating the security of the system

CO4509 - Computer Security - University of Central Lancashire - Develop new web-based store. Benny Vandergast Inc has provided a VMware virtual machine

  Describe what is special about the default user account sap

creates a number of default accounts which deserve special attention. Describe what is special about the default user account SAP*.

  CSE1ACF Cyber Algorithms That Changed the Future- Assignment

CSE1ACF Cyber Algorithms That Changed the Future Assignment Help and Solutions-La Trobe University, Australia-You lead a team of security experts responsible.

  What are the main elements of a unix syslog facility

What are the main elements of a UNIX syslog facility? Explain how an interposable library can be used for application-level auditing.

  How can dynamic access control benefit the organization

You are required to supply IMIwith a solution which addresses the integration and configuration of their Active Directory updates

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd