Reference no: EM132583606 , Length: 2 pages
Part 1 - Credential Stealing
For part 1 of this lab, analyze the file Lab5-1.exe.
Question 1. What kind of malware is Lab5-1.exe (Backdoor, RAT, GINA Interceptor, Keylogger, Rootkit, or Launcher)?
Question 2. What is the name and location of the file that gets created?
Question 3. Does it use a polling technique or a hooking technique?
Question 4. Use IDA to provide an analysis of the code. Discuss how the malware works. You may use any combination of tools at your disposal. Include screenshots of IDA to help explain critical code segments. Execute the malware and observe the contents of the log file. Provide a screenshot of the log file.
Part 2 - Covert Malware Launching and Injection
For part 2 of this lab, analyze the files Lab5-2.exe and Lab5-2.dll.
Question 1) Briefly examine Lab5-2.exe in IDA. What type of covert launching do you initially suspect of this malware performing (direct injection, dll injection, hook injection, APC injection, or process replacement)? What is the evidence?
Question 2) Which process does this malware target? How can you tell?
Question 3) Examine Lab5-2.dll in IDA. You will observe that the DLL simply invokes a thread that creates a loop of threads that generate a pop-up window every six seconds to show that the DLL was successfully injected. What is the startAddress of the outer thread and what is the startAddress of the inner thread?
Question 4) Execute the target (victim) process norwich.exe. Do not click ‘OK' since that will terminate the process and it will not be injected. Now execute Lab5-2.exe. What are your observations? You should see the pop-up window that you suspected during your static code analysis of Lab5-2.dll. You should see the pop-up every six seconds. With norwich.exe still running, open Process Hacker. Examining the process list, you should not see any evidence of Lab5-2.exe or Lab5-2.dll. However, that pop-up we saw in the Lab5-2.dll keeps coming. Let's look at the target process, norwich.exe, by double clicking on it in Process Hacker. Look in the "Modules" tab and the "Threads" tab. Do you observe evidence of Lab5-2.dll? Look at the import table of norwich.exe via CFF Explorer. Do you see it import Lab5-2.dll? If that dll is not being imported by norwich.exe, then what is your initial as to why norwich.exe is executing code from a dll it did not import?
Question 5) Perform a more in-depth static code analysis on Lab5-2.exe. Explain the injection technique. Who calls the code in DllMain of Lab5-2.dll (OS, victim process, or the Lab5-1.exe launcher)? When does DllMain get called? Be sure to clearly indicate the roles of the dll and the exe. Include screenshots of important code sections to augment your discussion.