User Account

All Pages

How you would setup a network analysis environment

Assignment Help Computer Network Security
Reference no: EM133643429 , Length: 5000 words

Tasks to be undertaken:

In this coursework, you are expected to:

Analyse three PDF files and two specimens of malware and answer questions about the insights gained, detailing your approach with relevant evidence, e.g., screenshots, excerpts of logs, etc.

Part 1: Static and dynamic analysis of an unknown suspicious files

Scenario and goal
You have been provided with a set of unknown files found on a suspected infected machine on your organization's network. The goal is to perform in-depth analysis of the files and document any observable characteristics and/or behaviours.

Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Environment and tools
Analyze the set of PDF files zipped within the "cw_pdf_files.7z" in a REMnux environment using appropriate tools. The password for unzipping is ‘infected'. Also, analyse the file "suspicious.file" on a Windows XP virtual machine. The file should be extracted from "suspicious.7z" with the archive password ‘infected'.

Please note that these are real malware. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lectures slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs.

Analysis tasks

Question 1. Retrieve the three PDF documents from the "cw_pdf_files.7z" archive file. Perform a comprehensive analysis of the three files and present your findings, drawing conclusions as to whether or not each of the files may be a malicious PDF document.

Question 2. Retrieve "suspicious.file" from the archive zipped file. How would you confirm what type of file it is? What observable features of the file suggests that it may/may not be packed? Document your observations with any applicable tools of your choice.

Question 3. Next, perform a basic static analysis of the malware sample (suspicious.file) and document your findings. For example, what do the imports and exports tell you about the sample? (Remember, MSDN is your friend) Are there any interesting strings? Can you observe anything suspicious section-wise? If the sample is packed, make sure you unpack it first.

Question 4. Analyse the sample dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped, executed or deleted? (Hint: if you use Regshot in any phase of your analysis, set the right scan directory to ‘C:\'). Support your claims with documentary evidence from tools such as RegShot, Process Monitor, etc.

Question 5. Does the malware exhibit any network-based behaviour? Analyse and document any observable network activities under (a) an isolated environment and (b) with the system connected online (in this exercise it is ok to let the sample talk to the outside world). Document all observable patterns in network activities using appropriate tools and techniques.

Presentation: organization, readability, references etc.

Part 2: Analysis and reverse engineering of a malicious DLL

This is the second part of your graded coursework and is worth 50% of your total marks.

Scenario and goal
Your friend received an email with an attachment and proceeded to open the email. Without being careful, your friend opened the attachment and is now concerned that the systemmay be infected.
Answer all the questions below (in the analysis tasks section) backing your answers with appropriate proofs and detailed supporting documentation and evidence from analyses.

Environment and tools
Analyze the file "malsample.dll" on a Windows XP virtual machine. Extract it from "malsample.7z" with the archive password ‘infected'. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs. Please provide your answers under each given question. Any references cited should be listed at the end of your report.

Analysis tasks

Question 1. Your friend receives the file (malsample.dll) in an email attachment on their windows XP machine and accidentally double clicks the file. Is their system infected? If yes why/how? If no, why not? Explain and support your answer with evidence from dynamic analysis.

Question 2. Perform a basic static analysis of the malware sample and document your findings.

What do the imports and exports tell you about the sample? Is the sample packed?

Can you observe anything suspicious section-wise?

Question 3. Analyse the sample dynamically and monitor its activities on the system. Outline the steps taken to execute the sample for analysis. What changes do you observe on the host? For example, is anything dropped, executed or deleted? Any other changes to the host observed? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:\). Support your claims with documentary evidence. [10 marks]

Question 4. Under which process is the malicious DLL running? What is the process ID of this process? Document your approach and show how you obtained this information.

Question 5. Describe how you would setup a network analysis environment. Does the malware exhibit any network-based behaviours? Analyse and document any observable network activity in an isolated environment. How does this malware behave network- wise?

Question 6. Reverse engineer the sample with IDA/IDA pro.

(a) How many functions are exported by the DLL?

(b) What are the addresses of the functions that the DLL exports?

(c) How many functions call the kernel32 API LoadLibrary?

(d) How many times is the kernel32 API Sleep() called in the DLL? (support your answers with documentary evidence, e.g., screenshots).

Question 7. Navigate to the ServiceMain function. (a) Show the graph view of the function (b) The main subroutine (of the ServiceMain function) jumps to a location where the code calls the kernel32 API Sleep() right after the JZ assembly instruction. What is the value of the parameter used by this Sleep() call?

Question 8. Presentation: organization, readability, references etc.

Reference no: EM133643429

Questions Cloud

How you determine which design and source of data best align : Consider two different qualitative data analysis approaches. How do you determine which design and source of data best align with each analysis approach?
How approaches meet the need of all student in the classroom : Evidence-based approaches for teaching the components and how these approaches meet the needs of all students in the classroom.
What do you feel is the most important way for families : What do you feel is the most important way for families to help their child develop phonemic awareness skills at an early age?
What are two technology resources that could help students : What are two technology resources that could help students struggling with phonics skills? How does each resource support these students?
How you would setup a network analysis environment : Describe how you would setup a network analysis environment. Does the malware exhibit any network-based behaviours? Analyse and document any observable network
Describe strategies to help students increase comprehension : Describe three strategies to help students increase comprehension while reading independently. How would you teach these strategies to students?
Create a thesis statement that accomplishes your purpose : Create a thesis statement that accomplishes your specific purpose. Remember that your thesis will preview the main points/sections of your speech.
What social justice issues does the artist confront : ART 1035- How does Cassils use identity to speak of larger social issues? What Social Justice issues does the artist confront?
How does the company rank with regard to esg in its industry : Explain how CSR contributes to the companys future sustainability. Give examples where appropriate - How does the company rank with regard to ESG

Reviews

Write a Review

Computer Network Security Questions & Answers

  Make a 3-4-page memo outlining what you have done as the

over the past several years the chief executive officer ceo of your company has read articles on internet control

  Security management

Choose a topic from your major field of study. For example, if you pursuing a degree in education, your topic will come from the education field.

  Analyze the importance of network architecture to security

Analyze the importance of network architecture to security operations. Apply information security standards to real-world implementation.

  Mitigate risk by using information security systems policies

Write a report identifying the risks associated with the current position your organization is in, and how your organization can mitigate risk by using information security systems policies

  Explanation of the planning and designing of network

Overview of Internetworking Assignment - Network Requirement Analysis and Plan. Explanation of the planning and designing of network

  Identifying a focus for promotion in writing

Writing metadata including abstracts and summaries Identifying a focus for promotion in writing for an audience, social media and altmetrics

  What are the two general approaches to attacking a cipher

What are two general approaches to attacking cipher? Why do block cipher modes of operation only use encryption while others use both encryption and decryption?

  What advice does fbi provide in protecting computer fraud

What advice does the FBI provide in protecting against computer fraud. Do you feel that the Government is doing sufficient job in this area. Define COBIT and it's control objective. Do you feel the frameowrk is detailed enough to serve your orgni..

  What is supply chain

Your introduction should clearly explain what a supply chain is and why it is important to a manufacturing firm like Sifers-Grayson.

  Why is cryptology important in information security

Why is cryptology important in information security. What would be the implications of not using cryptographic technologies. Why might vendors propose proprietary encryption methods. Why is this suspect

  Perform routing between the different networks and vlans

Inter-VLAN routing. This concept is also known as a router on a stick, which involves a switch setup with multiple VLANs but a router is in place to perform.

  CCM4332 Network Security Assignment

CCM4332 Network Security Assignment Help and Solution, Middlesex University London - Assessment Writing Service - write the deciphered message

Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

Submit Assignment

Academics

Major Subjects

Majors

Get In Touch

whatsapp: +1-415-670-9521

Phone: +1-415-670-9521

Email: [email protected]

TERMS & POLICIES

HELP & SUPPORT

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd