CTEC5807 Malware Investigation

Faculty of Computing, Engineering & Media – Coursework
Specification 2019/20

Module name: Malware Analysis
Module code: CTEC5807
Title of the Assignment: Malware Investigation
This coursework item is: (delete as appropriate) Summative
This summative coursework will be marked anonymously No
The learning outcomes that are assessed by this coursework are:
1. Identify and analyze malware using appropriate procedures, tools and techniques
2. Interpret and communicate the significance of malware behavior to decision makers
3. Distinguish and critically compare malware delivery and spreading techniques
4. Assess and synthesize the likely impact of a malware infection from its binary
This coursework is: (delete as appropriate) Individual
This coursework constitutes 100 % of the overall module mark.
Date Set: Thu, 28th November 2019
Date & Time Due: 4PM Friday 14th February 2020
Your marked coursework and feedback will be available to you
on:
If for any reason this is not forthcoming by the due date your module
leader will let you know why and when it can be expected. The Head
of Studies (headofstudies-tec@dmu.ac.uk ) should be informed of any
issues relating to the return of marked coursework and feedback.
Note that you should normally receive feedback on your coursework
by no later than 20 University working days after the formal
hand-in date, provided that you have met the submission deadline.
20 working days after the
respective due date, results
and feedback will be posted
to Blackboard
When completed you are required to submit your coursework via:
1. Electronic copy on Blackboard
Late submission of coursework policy:
Late submissions will be processed in accordance with current University regulations which state:
“The time period during which a student may submit a piece of work late without authorisation and
have the work capped at 40% [50% at PG level] if passed is 14 calendar days. Work submitted
unauthorised more than 14 calendar days after the original submission date will receive a mark of 0%.
These regulations apply to a student’s first attempt at coursework. Work submitted late without
authorisation which constitutes reassessment of a previously failed piece of coursework will always
receive a mark of 0%.”
Academic Offences and Bad Academic Practices:
These include plagiarism, cheating, collusion, copying work and reuse of your own work, poor
referencing or the passing off of somebody else’s ideas as your own. If you are in any doubt about
what constitutes an academic offence or bad academic practice you must check with your tutor.
Further information and details of how DSU can support you, if needed, is available at:
http://www.dmu.ac.uk/dmu-students/the-student-gateway/academic-support-office/academic
offences.aspx and
http://www.dmu.ac.uk/dmu-students/the-student-gateway/academic-support-office/bad-academic
practice.aspx
Tasks to be undertaken:
In this coursework, you are expected to:
Analyze two specimens of malware and write a report answering set of questions about the insights
gained and detailing your approach with relevant evidence (e.g. screenshots, excerpts of logs, etc.)
Part 1: Basic malware analysis
Scenario and goal
This is part 1 of the graded exercise. It is worth 50% of your total grade. Every question is worth 5
points, for an exercise total of 50.
In this scenario, an acquaintance was e-mailed a suspicious attachment and wants to know if it is
malicious. He already opened the file and was surprised to see a foreign-language sentence. Now he
is concerned that he is infected with malware.
Answer all the questions below and write a full report. If you want to work in pairs, identify both authors
on the report cover sheet and upload it twice.
Environment & tools
Statically and dynamically analyze the unzipped sample “29-10-2014_Quittung.rtf” on a Windows XP
SP3 virtual machine. The archive password is “infected”. Please note that this is real malware.
Which tools to use is completely up to you. In malware analysis, there is rarely only one “right” path. Be
creative! Still, I suggest you look at previous exercises and pick whatever tools you deem appropriate.
For this exercise, it okay to let the sample talk to the outside world. Before you do that, however, it is
recommended to simulate internet communication (also see lab exercise “Combined dynamic analysis”)
and determine beforehand if it is safe.
Analysis tasks
1. Analyze the social engineering component of the malware. Translate it. How does it try to get
people to execute it?
2. Your friend has already opened the document attachment. What happened? Is his machine
already infected? Find proof for/Argue your answer!
3. Extract the core malware and document the steps.
4. Perform a basic static analysis of the sample and document your findings. Is it packed? What
do the imports and exports tell you? Do you see anything suspicious section- wise? Interesting
strings? Remember: MSDN is your friend!
5. Analyze the sample dynamically and monitor the activity on the system. What changes? Is
anything dropped, executed or deleted? If you use Regshot, be careful to set the right scan
directory (C:)!
6. Can you find indicators for sandbox or VM detection? What can you do to circumvent it? Restart
your analysis after taking care of the anti-analysis technique(s).
7. Try to find out what the sample is about to do network-wise and set up an appropriate fake
environment. What is happening?
8. What are the sample’s runtime dependencies? What is it trying to download? Try to play along
and set up the environment it wants and determine what the malware needs the additional
software for.
9. Extract and document all relevant IP addresses that are or might be contacted (static and
dynamic analysis) and determine domain ownership.
10. If you satisfied all the sample’s requirements (i.e. installed all the components it needs) the
malware will alter your system’s configuration. What is happening? Hint: Certificates.
Part 2: Ransomware disassembly
Scenario and goal
This is part 2 of the graded exercise. It is worth 50% of your total grade. Every question is worth 5
points, for an exercise total of 50.
In this scenario, your company’s CFO was victim of a crypto locker, losing all her precious holiday
photos. She comes to you in hopes that you’llbe able to help her recover her files without paying the
ransom. The incident response team has already located the malicious sample and provides you with
both the malware and an encrypted sample that needs to be recovered at all costs.
Answer all the questions below and write a full report. If you want to work in pairs, identify both authors
on the report cover sheet and upload it twice.
Environment & tools
Analyze the sample “cryptolock.exe” on a Windows virtual machine. The archive password is
“infected”.
Which tools to use is completely up to you. In malware analysis, there is rarely only one “right” path.
Be creative and know when to stop. With disassembly, you will see many functions that will not yield
any useful answers.
For this exercise, it okay to let the sample talk to the outside world. Before you do that, however, it is
recommended to simulate internet communication (also see lab exercise “Combined dynamic
analysis”) and determine beforehand if it is safe.
The questions below provide hints about the technical backgrounds and recommended MO.
Analysis tasks
1. Perform a basic static analysis of the sample and document your findings. Is it packed? What do
the imports and exports tell you? Do you see anything suspicious section- wise? Interesting
strings?
2. Attempt to execute the sample and use basic dynamic analysis tools to determine whether the
sample causes damage to the system. Can the sample be executed as is? If yes, what happens?
If no, why not?
3. Load the sample into IDA and attempt to locate the “main” function (which is not necessarily
called this way). You will see a lot of exit conditions that will terminate the program when run.
Where is the main function? Highlight it and expand it.
4. Document and interpret what’s going on in the sample’s main method. It helps to rename
functions whose purpose you have identified. Which function calls can you identify and name?
Hint: Pseudocode might help (there is an IDA plugin for that!). You might also want to return
to/continue this part of the exercise later during task 9.
5. What parameters does the sample need to function? What are their types (integer, string, etc.)?
Combine fuzzing with disassembly (i.e. supply likely parameters and see what happens and also
locate the spot in the code where the parameters are defined).
6. Armed with the correct parameters, use the crypto locker on some files of your choice and
document what’s happening (return to dynamic analysis). How is the malware altering the test
files (use hex editor)?
7. It can be assumed that the ransomware first reads the file, change its contents, and then writes
the new version to a file. One possible analysis approach can be to “follow” the source (victim)
file through the encryption process. A combined approach is most promising: Use Procmon to
monitor file accesses while running a debugger to locate the corresponding functionality in the
code. Where are the read/write operations located in the code?
8. It is time to determine the kind of encryption that is being used by the sample. Download and use
the tool “signsrch” to get an idea of what is happening. Which crypto algorithm does the malware
utilize?
9. What is the key for the encryption process? Where does the crypto locker get it from? How is it
processed within the malware and where does it end up?
10. Now that you know what kind of encryption is being used on the files, use a tool of your choice
(e.g. online tools, GitHub apps, self- coded approach) to decrypt the CFO’s file. Document the
steps and the final (decrypted) result!
If you fail to decrypt the desired file, document the process with a file of your choice (where you
know the key) for half the points of this item.
Deliverables to be submitted for assessment:
Written report with consecutively numbered answers for each task (max. 6000 words)
The results of all the analysis tasks in the both parts i.e. Part 1: Basic malware analysis and Part 2:
Ransomware disassembly need to be submitted in the report.
How the work will be marked:
Each malware sample analysis will be awarded a total of 50 points. The 10 questions each are scored
from 0 to 5 points, following a specific marking grid that considers the substance of each written
response. Style and presentation are marked as well.
Please refer to the criteria marking grid for details of the assessment of the work.
Module leader/tutor names: Suleiman Yerima, Mustafa Kaiiali
Robert Luh
Contact details: syerima@dmu.ac.uk
robert.luh@fhstp.ac.at
mustafa.kaiiali@dmu.ac.uk
CW Part 1 (50 points total)
Points 0 1 2 3 4 5
Q1 Exercise skipped or
content completely
incorrect
Only speculative answer to
nature/type of attack
Only speculative answer as to
nature/type of attack,
but some correct assumptions
Attack type identified correctly
but no further documentation or
explanation of the user side
view
Attack type identified correctly with
partial documentation showing user
view
Attack type identified correctly with full
documentation showing user view
Q2 Exercise skipped or
content completely
incorrect
Only speculative answer
about state of infection
Only speculative answer about
state of infection,
but some correct assumptions
State of infection correctly
identified
State of infection correctly identified
with partial proof through analysis
State of infection correctly identified
and comprehensive proof provided
through analysis
Q3 Exercise skipped or
content completely
incorrect
Only speculative answer,
no proof of successful
extraction
Undocumented extraction of file
and/or minimal explanation
Minimally documented
extraction with lacking
explanation
or extraction resulting in
incorrect end result.
All aspects of the extraction approach
correctly documented resulting in
correct outcome
(with minor shortcomings in
documentation).
All aspects of the extraction approach
correctly documented resulting in
correct outcome
(with no shortcomings in
documentation).
Q4 Exercise skipped or
content completely
incorrect
Only one aspect correctly
analyzed and documented
with proof.
Only two aspects correctly
analyzed and documented with
proof.
Only three aspects correctly
analyzed and documented with
proof.
Four aspects correctly analyzed and
documented with proof.
All five aspects of the question correctly
analyzed and documented with proof.
Q5 Exercise skipped or
content completely
incorrect
Student found and
documented one relevant
activity using manual
and/or automated dynamic
analysis with proof.
Student found and documented
two relevant activities using
manual and/or automated
dynamic analysis with proof.
Student found and documented
three relevant activities using
manual and/or automated
dynamic analysis with proof.
Student found and documented up to
four relevant activities using manual
and/or automated dynamic analysis
with proof.
Student found and documented up to
five relevant activities using manual
and/or automated dynamic analysis with
proof.
Q6 Exercise skipped or
content completely
incorrect
Only speculative answer
about sandbox or evasion
techniques or incorrect use
of analysis
tools for detection
Answer explaining how analysis
detection/evasion could be used
by the malware, but no
definitive answer for the current
sample
Rudimentary
documentation/proof, with
additional mention of at most
one evasive technique
identified through analysis
Rudimentary documentation/proof,
with additional mention of at least one
evasive technique identified through
analysis
Detailed documentation/proof, with
additional mention of most/all of the
evasive techniques identified through
analysis
Q7 Exercise skipped or
content completely
incorrect
Evidence of set-up of the
relevant tools without
concrete analysis results
Evidence of set-up of tools and
correct description of what the
sample tries to do.
Evidence of set-up of tools and
correct description of what the
sample tries to do plus
identification of artifacts
Evidence of set-up of tools and
correct description of what the sample
tries to do plus identification of
artifacts and partial documentation of
all relevant processes occurring
Evidence of set-up of tools and correct
description of what the sample tries to
do plus identification of artifacts and
full documentation of all relevant
processes occurring.
Q8 Exercise skipped or
content completely
incorrect
Previous identification of
at least one of the artifacts
from exercise 7, but no
evidence of successful
installation
Previous identification of more
than one of the artifacts from
exercise 7, but no evidence of
successful installation
Identification of the artifacts,
but only partial or faulty
installation of dependencies
Full installation of one of the
identified artifacts the sample is
dependent on
Full installation of more than one of the
identified artifacts that the sample is
dependent on
Q9 Exercise skipped or
content completely
incorrect
Student demonstrated the
use of appropriate tools but
without analysis of the
addresses
Student identified and queried
one of the relevant addresses,
with shown evidence
Student identified and queried
two of the relevant addresses,
with shown evidence
Student identified and queried three of
the relevant addresses, with shown
evidence
Student identified and queried four of
the relevant addresses, with shown
evidence
Q10 Exercise skipped or
content completely
incorrect
Explanation about
certificates without link to
current exercise
Certificate interaction routines of
the sample found, but no specific
analysis
Demonstrated the use of the
appropriate tool(s) with partial
documentation but no evidence
shown of correct/expected
outcome (e.g. due to analysis
mistakes).
Demonstrated the use of the
appropriate tool(s) with detailed
documentation but no evidence shown
of correct/expected outcome (e.g. due
to analysis mistakes).
Demonstrated the use of the appropriate
tool(s) with detailed documentation plus
evidence shown of correct/expected
outcome (due to lack analysis errors).
CW Part 2 (50 points total)
Points 0 1 2 3 4 5
Q1 Exercise skipped or
content completely
incorrect
Only one aspect correctly
analyzed and documented
with proof.
Only two aspects correctly
analyzed and documented
with proof.
Only three aspects correctly
analyzed and documented with
proof.
Four aspects correctly analyzed
and documented with proof.
All five aspects of the question correctly
analyzed and documented with proof.
Q2 Exercise skipped or
content completely
incorrect
Only speculative answer
about damage to the system
and the sample’s general
activities
Correct verdict supplied but
with little to no proof offered
Correct verdict supplied plus
system changes documented with
one appropriate tool
Correct verdict supplied plus
system changes documented with
2 or more appropriate tools
Correct verdict supplied plus system changes
documented with 2 or more tools and likely
reasons provided
Q3 Exercise skipped or
content completely
incorrect
Speculative answer about
main function that indicates
that analyst has started to
traverse the code
Speculative answer about
main function that indicates
that analyst has started to
traverse the code and is on
the right track
Speculative answer about main
function that indicates that analyst
has started to traverse the code and
is on the right track. Student is side
tracked by the exit conditions but
documents at least one of them.
Correct traversal of the code,
identification and investigation of
exit conditions, likely main
function identified with no
conclusive proof given.
Correct traversal of the code, identification and
investigation of exit conditions, likely main
function identified with conclusive proof given
(e.g. with screenshots).
Q4 Exercise skipped or
content completely
incorrect
Only speculative answer
about main method behavior
Student successfully used
Pseudocode plugin to restore
the source code, but provided
no interpretation or analysis.
If applied to wrong function:
-1 point
Student successfully used
Pseudocode plugin to restore the
source code, and provided some
interpretation or analysis. If applied
to wrong function: -1 point.
Student successfully used
Pseudocode plugin to restore the
source code, and provided
detailed interpretation or analysis.
If applied to wrong function: -1
point.
Student successfully used Pseudocode plugin to
restore the source code, and provided detailed
interpretation and analysis. If applied to wrong
function: -1 point.
Q5 Exercise skipped or
content completely
incorrect
Only speculative answer
about parameters, with no
testing
Parameters are correctly
stated, but no concrete proof
is given
Parameters are identified, with
proof given (e.g. from the
pseudocode). No testing.
Parameters are identified, with
proof given through fuzzy testing
only, with little proof in the
source. Test values were wisely
chosen.
Parameters are identified correctly, with both
code and fuzzy testing proof provided. Full
documentation of the process and exact locations
of the part were the arguments are defined.
Additional tool(s) used to document the use of
the malware with correct parameters.
Q6 Exercise skipped or
content completely
incorrect
Successfully encrypted a file
with the ransom trojan,
without much documentation
or direction.
Successfully encrypted at
least one file and studied in a
hex editor. Found the string
identifying the file as
encrypted with no further
interpretation or analysis.
Successfully encrypted at least one
file and studied in a hex editor.
Found the string identifying the file
as encrypted plus successful
location of the key with partial
documentation.
Successfully encrypted at least
one file and studied in a hex
editor. Found the string
identifying the file as encrypted
plus successful location of the
key, made further correct
inferences with documentation.
Successfully encrypted at least one file and
studied in a hex editor. Found the string
identifying the file as encrypted plus successful
location of the key, made further correct
inferences that solve the problem of unlocking
the hijacked file.
Q7 Exercise skipped or
content completely
incorrect
Only speculative answer;
vague locations with little
proof
At least one relevant function
found and explained
Relevant operations successfully
located in the code; documentation
of the process for either static or
dynamic tools
Relevant operations successfully
located in the code;
documentation of the process in
both static and dynamic tools
Relevant operations successfully located in the
code; full documentation of the process in both
static and dynamic tools
Q8 Exercise skipped or
content completely
incorrect
Only speculative answer
about the type of crypto used
Crypto algorithm type
identified but not specific
algorithm.
Correct crypto algorithm identified
with no further proof provided.
Correct crypto algorithm
identified with proof given.
Correct crypto algorithm identified with proof
given and full explanation provided.
Q9 Exercise skipped or
content completely
incorrect
Only vague answer, unable to
connect the dots from
previous exercises
Partial summary provided
with only one aspect
answered correctly.
Partial summary provided with only
two aspects answered correctly.
Partial summary provided with
only all three aspects answered
correctly.
Full summary provided with all three aspects
answered correctly.
Q10 Exercise skipped or
content completely
incorrect
Theoretical answer: how to
decrypt
Unsuccessful decryption, but
generally sound process/tools
used/suggested
Successful decryption of own file
by calculating the key
Successful decryption of own file
by calculating the key, with solid
approach to decrypting the real
deal
Successful decryption of the CFO’s file with full
proof and documentation

The post CTEC5807 Malware Investigation appeared first on My Assignment Online.

Essaylink
Calculate your paper price
Pages (550 words)
Approximate price: -

Why Work with Us

Top Quality and Well-Researched Papers

We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.

Professional and Experienced Academic Writers

We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.

Free Unlimited Revisions

If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.

Prompt Delivery and 100% Money-Back-Guarantee

All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.

Original & Confidential

We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.

24/7 Customer Support

Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.

Try it now!

Calculate the price of your order

Total price:
$0.00

How it works?

Follow these simple steps to get your paper done

Place your order

Fill in the order form and provide all details of your assignment.

Proceed with the payment

Choose the payment system that suits you most.

Receive the final file

Once your paper is ready, we will email it to you.

Our Services

No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.

Essays

Essay Writing Service

No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.

Admissions

Admission Essays & Business Writing Help

An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.

Reviews

Editing Support

Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.

Reviews

Revision Support

If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.

WeCreativez WhatsApp Support
Our customer support team is here to answer your questions. Ask us anything!
? Hi, how can I help?