assignment in malware basic static analysis

by

CAP 4145 Introduction to Malware Analysis

Assignment 2 – Basic Static Analysis

10 points

Instructions:

  • This is an individual assignment.
  • Answers to all questions must be put into ONE document. That is, every time, each student can only submit one report document, answering all questions of this assignment, if not explicitly stated otherwise.
  • Students must put answers following each question in this assignment. The instructor will not grade a report with only answers in it and the student gets zero for such an assignment. An assignment report must include original questions.
  • Students MUST submit the finished assignment in either Microsoft Word or pdf format to Webcourse. The doc must be submitted as ONE standalone file and cannot be tarred or zipped into a container.
  • All required files or docs must be submitted in one submission (last submission). Note: Blackboard allows unlimited number of submission of one assignment by students.
  • Refer to Print screen on how to take a screenshot. Pressing the Alt key in combination with PrtSc will capture the currently selected window.

Problems:

Answer each question following the original question. Do NOT delete the original question.

Note:

  • Underlined blue text points to a web link. Ctrl + Click to follow link.
  • Download the labs including all files at Practical Malware Analysis Labs – Download.
  • If related tools are not available from CyberHub virtual machines (VMs), they can be found at the end of the instructor’s website for this course here.

Lab 1-0

Browse the CyberHub support website here and watch all the short tutorial videos. (3 Points)

Questions

  • Open all the three virtual machines (VMs) in the sandbox provided for this class and provide a screenshot here following this question.
  • Disable Windows Firewall and ping from the Linux VM and provide screenshots that ping works.
  • Ping the Linux VM from a Windows VM and provide a screenshot that ping works.

Lab 1-1

This lab uses the files Lab01-01.exe and Lab01-01.dll. Use the tools and techniques described in the chapter to gain information about the files and answer the questions below. (7 Points)

Questions

  • Run all tools in Chapter 1 on Lab01-01.exe and Lab01-01.dll, and copy and paste the output of the output or screenshot from these tools below.
  • When were these files compiled?
  • Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators?
  • Do any imports hint at what this malware does? If so, which imports are they?
  • Are there any other files or host-based indicators that you could look for on infected systems?
  • What network-based indicators could be used to find this malware on infected machines?
  • What would you guess is the purpose of these files?

Output from md5deep

Output from strings

Output from PEiD

Output from Dependency Walker

Output from PEview

Output from ResourceHacker