CTEC3317 Identify and analyse malware using appropriate procedures, tools and techniques.
CTEC3317 Malware Analysis - De Montfort University
Assignment - Malware Investigation
Learning Outcomes:
LO 1.Identify and analyse malware using appropriate procedures, tools and techniques.
LO 2.Interpret and communicate the significance of malware behaviour to decision makers.
LO 3.Distinguish and critically compare malware delivery and spreading techniques.
LO 4.Assess and synthesize the likely impact of a malware infection from its binary.
Tasks :
Analyse two specimens of malware and answer questions about the insights gained, detailing your approach with relevant evidence (e.g. screenshots, excerpts of logs, etc.)
Section 1: Static and dynamic analysis of an unknown suspicious file
Scenario and goal
You have been provided with an unknown file found on a suspected infected machine on your organization`s network. The goal is to perform an in-depth analysis of the file to determine its type, infection mechanisms, and document any observable behaviours. After the analysis you will recommend steps to eradicate the malware from all the other systems in your organization that have been infected by the same malware.
Environment and tools
Analyse the file "suspicious.file" on a Windows virtual machine. The file should be extracted from "suspicious.7z" with the archive password infected`. Please note that this is real malware. Which tools you use is entirely up to you. In malware analysis there is rarely one "right" path. Be creative and observant! However, I suggest you look at previous lab exercises and lecture slides, and pick whatever tools you deem appropriate. Provide documentary evidence to support your answers where appropriate, for example screenshots, excerpts from Logs, dumps and other analyses outputs.
Analysis tasks
Question 1.What type of file is the suspicious program? How do you determine its type? Document the method you used or steps you took to identify the type of file. Can the program be run as it is? If not, explain what would you do to make it execute? [5 marks]
Question2.Now that you`ve determined how to make it execute for analysis, is the malware packed? What observable features of the file suggest that it may/may not be packed? Document your observations with any applicable tools of your choice. [5 marks]
Question 3.Next, perform a basic static analysis of the malware sample and document your findings. For example, what do the imports and exports tell you about the sample? (Remember, MSDN is your friend) Are there any interesting strings? Can you observe anything suspicious section- wise? If the sample is packed, make sure you unpack it first. [6 marks]
Question 4.Analyse the sample dynamically and monitor its activities on the system. What changes do you observe on the host? For example, is anything dropped, executed or deleted? (Hint: if you use Regshot in any phase of your analysis, be careful to set the right scan directory i.e. C:`) Support your claims with documentary evidence. [8 marks]
Question 5.Is the malware sample persistent? If yes, how does it achieve its goal of being persistent on the system? What corroborating observations can you put forth from your analysis that the malware is persistent? Provide evidence of the sample`s persistence on the system (use appropriate tools to investigate).
Question 6.Does the malware exhibit any network based behaviours? Analyse and document any observable network activity under (a) an isolated environment and (b) with the system connected online (in this exercise it is ok to let the sample talk to the outside world). Document all observable traffic/network activity patterns using appropriate tools and techniques.
Question 7.As a member of the incident response team in your organization you are tasked with the removal of the malware from all systems infected with this same malware. How would you eliminate the malware from an infected system on your network? Outline the steps to be taken in cleaning up the system. Show how you would confirm that the malware has been completely removed by the steps you have taken.
