Faculty of Computing, Engineering & Media – Coursework
Specification 2019/20
Module name: | Malware Analysis |
Module code: | CTEC5807 |
Title of the Assignment: | Malware Investigation |
This coursework item is: (delete as appropriate) | Summative |
This summative coursework will be marked anonymously | No |
The learning outcomes that are assessed by this coursework are: 1. Identify and analyze malware using appropriate procedures, tools and techniques 2. Interpret and communicate the significance of malware behavior to decision makers 3. Distinguish and critically compare malware delivery and spreading techniques 4. Assess and synthesize the likely impact of a malware infection from its binary |
|
This coursework is: (delete as appropriate) | Individual |
This coursework constitutes 100 % of the overall module mark. | |
Date Set: | Thu, 28th November 2019 |
Date & Time Due: | 4PM Friday 14th February 2020 |
Your marked coursework and feedback will be available to you on: If for any reason this is not forthcoming by the due date your module leader will let you know why and when it can be expected. The Head of Studies (headofstudies-tec@dmu.ac.uk ) should be informed of any issues relating to the return of marked coursework and feedback. Note that you should normally receive feedback on your coursework by no later than 20 University working days after the formal hand-in date, provided that you have met the submission deadline. |
20 working days after the respective due date, results and feedback will be posted to Blackboard |
When completed you are required to submit your coursework via: 1. Electronic copy on Blackboard |
|
Late submission of coursework policy: Late submissions will be processed in accordance with current University regulations which state: “The time period during which a student may submit a piece of work late without authorisation and have the work capped at 40% [50% at PG level] if passed is 14 calendar days. Work submitted unauthorised more than 14 calendar days after the original submission date will receive a mark of 0%. These regulations apply to a student’s first attempt at coursework. Work submitted late without authorisation which constitutes reassessment of a previously failed piece of coursework will always receive a mark of 0%.” |
|
Academic Offences and Bad Academic Practices: These include plagiarism, cheating, collusion, copying work and reuse of your own work, poor referencing or the passing off of somebody else’s ideas as your own. If you are in any doubt about what constitutes an academic offence or bad academic practice you must check with your tutor. Further information and details of how DSU can support you, if needed, is available at: http://www.dmu.ac.uk/dmu-students/the-student-gateway/academic-support-office/academic offences.aspx and http://www.dmu.ac.uk/dmu-students/the-student-gateway/academic-support-office/bad-academic practice.aspx |
Tasks to be undertaken: In this coursework, you are expected to: Analyze two specimens of malware and write a report answering set of questions about the insights gained and detailing your approach with relevant evidence (e.g. screenshots, excerpts of logs, etc.) Part 1: Basic malware analysis Scenario and goal This is part 1 of the graded exercise. It is worth 50% of your total grade. Every question is worth 5 points, for an exercise total of 50. In this scenario, an acquaintance was e-mailed a suspicious attachment and wants to know if it is malicious. He already opened the file and was surprised to see a foreign-language sentence. Now he is concerned that he is infected with malware. Answer all the questions below and write a full report. If you want to work in pairs, identify both authors on the report cover sheet and upload it twice. Environment & tools Statically and dynamically analyze the unzipped sample “29-10-2014_Quittung.rtf” on a Windows XP SP3 virtual machine. The archive password is “infected”. Please note that this is real malware. Which tools to use is completely up to you. In malware analysis, there is rarely only one “right” path. Be creative! Still, I suggest you look at previous exercises and pick whatever tools you deem appropriate. For this exercise, it okay to let the sample talk to the outside world. Before you do that, however, it is recommended to simulate internet communication (also see lab exercise “Combined dynamic analysis”) and determine beforehand if it is safe. Analysis tasks 1. Analyze the social engineering component of the malware. Translate it. How does it try to get people to execute it? 2. Your friend has already opened the document attachment. What happened? Is his machine already infected? Find proof for/Argue your answer! 3. Extract the core malware and document the steps. 4. Perform a basic static analysis of the sample and document your findings. Is it packed? What do the imports and exports tell you? Do you see anything suspicious section- wise? Interesting strings? Remember: MSDN is your friend! 5. Analyze the sample dynamically and monitor the activity on the system. What changes? Is anything dropped, executed or deleted? If you use Regshot, be careful to set the right scan directory (C:)! 6. Can you find indicators for sandbox or VM detection? What can you do to circumvent it? Restart your analysis after taking care of the anti-analysis technique(s). 7. Try to find out what the sample is about to do network-wise and set up an appropriate fake environment. What is happening? 8. What are the sample’s runtime dependencies? What is it trying to download? Try to play along and set up the environment it wants and determine what the malware needs the additional software for. 9. Extract and document all relevant IP addresses that are or might be contacted (static and dynamic analysis) and determine domain ownership. |
10. If you satisfied all the sample’s requirements (i.e. installed all the components it needs) the malware will alter your system’s configuration. What is happening? Hint: Certificates. Part 2: Ransomware disassembly Scenario and goal This is part 2 of the graded exercise. It is worth 50% of your total grade. Every question is worth 5 points, for an exercise total of 50. In this scenario, your company’s CFO was victim of a crypto locker, losing all her precious holiday photos. She comes to you in hopes that you’llbe able to help her recover her files without paying the ransom. The incident response team has already located the malicious sample and provides you with both the malware and an encrypted sample that needs to be recovered at all costs. Answer all the questions below and write a full report. If you want to work in pairs, identify both authors on the report cover sheet and upload it twice. Environment & tools Analyze the sample “cryptolock.exe” on a Windows virtual machine. The archive password is “infected”. Which tools to use is completely up to you. In malware analysis, there is rarely only one “right” path. Be creative and know when to stop. With disassembly, you will see many functions that will not yield any useful answers. For this exercise, it okay to let the sample talk to the outside world. Before you do that, however, it is recommended to simulate internet communication (also see lab exercise “Combined dynamic analysis”) and determine beforehand if it is safe. The questions below provide hints about the technical backgrounds and recommended MO. Analysis tasks 1. Perform a basic static analysis of the sample and document your findings. Is it packed? What do the imports and exports tell you? Do you see anything suspicious section- wise? Interesting strings? 2. Attempt to execute the sample and use basic dynamic analysis tools to determine whether the sample causes damage to the system. Can the sample be executed as is? If yes, what happens? If no, why not? 3. Load the sample into IDA and attempt to locate the “main” function (which is not necessarily called this way). You will see a lot of exit conditions that will terminate the program when run. Where is the main function? Highlight it and expand it. 4. Document and interpret what’s going on in the sample’s main method. It helps to rename functions whose purpose you have identified. Which function calls can you identify and name? Hint: Pseudocode might help (there is an IDA plugin for that!). You might also want to return to/continue this part of the exercise later during task 9. 5. What parameters does the sample need to function? What are their types (integer, string, etc.)? Combine fuzzing with disassembly (i.e. supply likely parameters and see what happens and also locate the spot in the code where the parameters are defined). 6. Armed with the correct parameters, use the crypto locker on some files of your choice and document what’s happening (return to dynamic analysis). How is the malware altering the test |
files (use hex editor)? 7. It can be assumed that the ransomware first reads the file, change its contents, and then writes the new version to a file. One possible analysis approach can be to “follow” the source (victim) file through the encryption process. A combined approach is most promising: Use Procmon to monitor file accesses while running a debugger to locate the corresponding functionality in the code. Where are the read/write operations located in the code? 8. It is time to determine the kind of encryption that is being used by the sample. Download and use the tool “signsrch” to get an idea of what is happening. Which crypto algorithm does the malware utilize? 9. What is the key for the encryption process? Where does the crypto locker get it from? How is it processed within the malware and where does it end up? 10. Now that you know what kind of encryption is being used on the files, use a tool of your choice (e.g. online tools, GitHub apps, self- coded approach) to decrypt the CFO’s file. Document the steps and the final (decrypted) result! If you fail to decrypt the desired file, document the process with a file of your choice (where you know the key) for half the points of this item. |
Deliverables to be submitted for assessment: Written report with consecutively numbered answers for each task (max. 6000 words) The results of all the analysis tasks in the both parts i.e. Part 1: Basic malware analysis and Part 2: Ransomware disassembly need to be submitted in the report. |
|
How the work will be marked: Each malware sample analysis will be awarded a total of 50 points. The 10 questions each are scored from 0 to 5 points, following a specific marking grid that considers the substance of each written response. Style and presentation are marked as well. Please refer to the criteria marking grid for details of the assessment of the work. |
|
Module leader/tutor names: | Suleiman Yerima, Mustafa Kaiiali Robert Luh |
Contact details: | syerima@dmu.ac.uk robert.luh@fhstp.ac.at mustafa.kaiiali@dmu.ac.uk |
CW Part 1 (50 points total) | ||||||
Points | 0 | 1 | 2 | 3 | 4 | 5 |
Q1 | Exercise skipped or content completely incorrect |
Only speculative answer to nature/type of attack |
Only speculative answer as to nature/type of attack, but some correct assumptions |
Attack type identified correctly but no further documentation or explanation of the user side view |
Attack type identified correctly with partial documentation showing user view |
Attack type identified correctly with full documentation showing user view |
Q2 | Exercise skipped or content completely incorrect |
Only speculative answer about state of infection |
Only speculative answer about state of infection, but some correct assumptions |
State of infection correctly identified |
State of infection correctly identified with partial proof through analysis |
State of infection correctly identified and comprehensive proof provided through analysis |
Q3 | Exercise skipped or content completely incorrect |
Only speculative answer, no proof of successful extraction |
Undocumented extraction of file and/or minimal explanation |
Minimally documented extraction with lacking explanation or extraction resulting in incorrect end result. |
All aspects of the extraction approach correctly documented resulting in correct outcome (with minor shortcomings in documentation). |
All aspects of the extraction approach correctly documented resulting in correct outcome (with no shortcomings in documentation). |
Q4 | Exercise skipped or content completely incorrect |
Only one aspect correctly analyzed and documented with proof. |
Only two aspects correctly analyzed and documented with proof. |
Only three aspects correctly analyzed and documented with proof. |
Four aspects correctly analyzed and documented with proof. |
All five aspects of the question correctly analyzed and documented with proof. |
Q5 | Exercise skipped or content completely incorrect |
Student found and documented one relevant activity using manual and/or automated dynamic analysis with proof. |
Student found and documented two relevant activities using manual and/or automated dynamic analysis with proof. |
Student found and documented three relevant activities using manual and/or automated dynamic analysis with proof. |
Student found and documented up to four relevant activities using manual and/or automated dynamic analysis with proof. |
Student found and documented up to five relevant activities using manual and/or automated dynamic analysis with proof. |
Q6 | Exercise skipped or content completely incorrect |
Only speculative answer about sandbox or evasion techniques or incorrect use of analysis tools for detection |
Answer explaining how analysis detection/evasion could be used by the malware, but no definitive answer for the current sample |
Rudimentary documentation/proof, with additional mention of at most one evasive technique identified through analysis |
Rudimentary documentation/proof, with additional mention of at least one evasive technique identified through analysis |
Detailed documentation/proof, with additional mention of most/all of the evasive techniques identified through analysis |
Q7 | Exercise skipped or content completely incorrect |
Evidence of set-up of the relevant tools without concrete analysis results |
Evidence of set-up of tools and correct description of what the sample tries to do. |
Evidence of set-up of tools and correct description of what the sample tries to do plus identification of artifacts |
Evidence of set-up of tools and correct description of what the sample tries to do plus identification of artifacts and partial documentation of all relevant processes occurring |
Evidence of set-up of tools and correct description of what the sample tries to do plus identification of artifacts and full documentation of all relevant processes occurring. |
Q8 | Exercise skipped or content completely incorrect |
Previous identification of at least one of the artifacts from exercise 7, but no evidence of successful installation |
Previous identification of more than one of the artifacts from exercise 7, but no evidence of successful installation |
Identification of the artifacts, but only partial or faulty installation of dependencies |
Full installation of one of the identified artifacts the sample is dependent on |
Full installation of more than one of the identified artifacts that the sample is dependent on |
Q9 | Exercise skipped or content completely incorrect |
Student demonstrated the use of appropriate tools but without analysis of the addresses |
Student identified and queried one of the relevant addresses, with shown evidence |
Student identified and queried two of the relevant addresses, with shown evidence |
Student identified and queried three of the relevant addresses, with shown evidence |
Student identified and queried four of the relevant addresses, with shown evidence |
Q10 | Exercise skipped or content completely incorrect |
Explanation about certificates without link to current exercise |
Certificate interaction routines of the sample found, but no specific analysis |
Demonstrated the use of the appropriate tool(s) with partial documentation but no evidence shown of correct/expected outcome (e.g. due to analysis mistakes). |
Demonstrated the use of the appropriate tool(s) with detailed documentation but no evidence shown of correct/expected outcome (e.g. due to analysis mistakes). |
Demonstrated the use of the appropriate tool(s) with detailed documentation plus evidence shown of correct/expected outcome (due to lack analysis errors). |
CW Part 2 (50 points total) | ||||||
Points | 0 | 1 | 2 | 3 | 4 | 5 |
Q1 | Exercise skipped or content completely incorrect |
Only one aspect correctly analyzed and documented with proof. |
Only two aspects correctly analyzed and documented with proof. |
Only three aspects correctly analyzed and documented with proof. |
Four aspects correctly analyzed and documented with proof. |
All five aspects of the question correctly analyzed and documented with proof. |
Q2 | Exercise skipped or content completely incorrect |
Only speculative answer about damage to the system and the sample’s general activities |
Correct verdict supplied but with little to no proof offered |
Correct verdict supplied plus system changes documented with one appropriate tool |
Correct verdict supplied plus system changes documented with 2 or more appropriate tools |
Correct verdict supplied plus system changes documented with 2 or more tools and likely reasons provided |
Q3 | Exercise skipped or content completely incorrect |
Speculative answer about main function that indicates that analyst has started to traverse the code |
Speculative answer about main function that indicates that analyst has started to traverse the code and is on the right track |
Speculative answer about main function that indicates that analyst has started to traverse the code and is on the right track. Student is side tracked by the exit conditions but documents at least one of them. |
Correct traversal of the code, identification and investigation of exit conditions, likely main function identified with no conclusive proof given. |
Correct traversal of the code, identification and investigation of exit conditions, likely main function identified with conclusive proof given (e.g. with screenshots). |
Q4 | Exercise skipped or content completely incorrect |
Only speculative answer about main method behavior |
Student successfully used Pseudocode plugin to restore the source code, but provided no interpretation or analysis. If applied to wrong function: -1 point |
Student successfully used Pseudocode plugin to restore the source code, and provided some interpretation or analysis. If applied to wrong function: -1 point. |
Student successfully used Pseudocode plugin to restore the source code, and provided detailed interpretation or analysis. If applied to wrong function: -1 point. |
Student successfully used Pseudocode plugin to restore the source code, and provided detailed interpretation and analysis. If applied to wrong function: -1 point. |
Q5 | Exercise skipped or content completely incorrect |
Only speculative answer about parameters, with no testing |
Parameters are correctly stated, but no concrete proof is given |
Parameters are identified, with proof given (e.g. from the pseudocode). No testing. |
Parameters are identified, with proof given through fuzzy testing only, with little proof in the source. Test values were wisely chosen. |
Parameters are identified correctly, with both code and fuzzy testing proof provided. Full documentation of the process and exact locations of the part were the arguments are defined. Additional tool(s) used to document the use of the malware with correct parameters. |
Q6 | Exercise skipped or content completely incorrect |
Successfully encrypted a file with the ransom trojan, without much documentation or direction. |
Successfully encrypted at least one file and studied in a hex editor. Found the string identifying the file as encrypted with no further interpretation or analysis. |
Successfully encrypted at least one file and studied in a hex editor. Found the string identifying the file as encrypted plus successful location of the key with partial documentation. |
Successfully encrypted at least one file and studied in a hex editor. Found the string identifying the file as encrypted plus successful location of the key, made further correct inferences with documentation. |
Successfully encrypted at least one file and studied in a hex editor. Found the string identifying the file as encrypted plus successful location of the key, made further correct inferences that solve the problem of unlocking the hijacked file. |
Q7 | Exercise skipped or content completely incorrect |
Only speculative answer; vague locations with little proof |
At least one relevant function found and explained |
Relevant operations successfully located in the code; documentation of the process for either static or dynamic tools |
Relevant operations successfully located in the code; documentation of the process in both static and dynamic tools |
Relevant operations successfully located in the code; full documentation of the process in both static and dynamic tools |
Q8 | Exercise skipped or content completely incorrect |
Only speculative answer about the type of crypto used |
Crypto algorithm type identified but not specific algorithm. |
Correct crypto algorithm identified with no further proof provided. |
Correct crypto algorithm identified with proof given. |
Correct crypto algorithm identified with proof given and full explanation provided. |
Q9 | Exercise skipped or content completely incorrect |
Only vague answer, unable to connect the dots from previous exercises |
Partial summary provided with only one aspect answered correctly. |
Partial summary provided with only two aspects answered correctly. |
Partial summary provided with only all three aspects answered correctly. |
Full summary provided with all three aspects answered correctly. |
Q10 | Exercise skipped or content completely incorrect |
Theoretical answer: how to decrypt |
Unsuccessful decryption, but generally sound process/tools used/suggested |
Successful decryption of own file by calculating the key |
Successful decryption of own file by calculating the key, with solid approach to decrypting the real deal |
Successful decryption of the CFO’s file with full proof and documentation |
The post CTEC5807 Malware Investigation appeared first on My Assignment Online.
Why Work with Us
Top Quality and Well-Researched Papers
We always make sure that writers follow all your instructions precisely. You can choose your academic level: high school, college/university or professional, and we will assign a writer who has a respective degree.
Professional and Experienced Academic Writers
We have a team of professional writers with experience in academic and business writing. Many are native speakers and able to perform any task for which you need help.
Free Unlimited Revisions
If you think we missed something, send your order for a free revision. You have 10 days to submit the order for review after you have received the final document. You can do this yourself after logging into your personal account or by contacting our support.
Prompt Delivery and 100% Money-Back-Guarantee
All papers are always delivered on time. In case we need more time to master your paper, we may contact you regarding the deadline extension. In case you cannot provide us with more time, a 100% refund is guaranteed.
Original & Confidential
We use several writing tools checks to ensure that all documents you receive are free from plagiarism. Our editors carefully review all quotations in the text. We also promise maximum confidentiality in all of our services.
24/7 Customer Support
Our support agents are available 24 hours a day 7 days a week and committed to providing you with the best customer experience. Get in touch whenever you need any assistance.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
Our Services
No need to work on your paper at night. Sleep tight, we will cover your back. We offer all kinds of writing services.
Essays
No matter what kind of academic paper you need and how urgent you need it, you are welcome to choose your academic level and the type of your paper at an affordable price. We take care of all your paper needs and give a 24/7 customer care support system.
Admissions
Admission Essays & Business Writing Help
An admission essay is an essay or other written statement by a candidate, often a potential student enrolling in a college, university, or graduate school. You can be rest assurred that through our service we will write the best admission essay for you.
Reviews
Editing Support
Our academic writers and editors make the necessary changes to your paper so that it is polished. We also format your document by correctly quoting the sources and creating reference lists in the formats APA, Harvard, MLA, Chicago / Turabian.
Reviews
Revision Support
If you think your paper could be improved, you can request a review. In this case, your paper will be checked by the writer or assigned to an editor. You can use this option as many times as you see fit. This is free because we want you to be completely satisfied with the service offered.