malware analysis assignment lunix

by

CAP 4145 Introduction to Malware Analysis

Assignment 3 – Basic Dynamic Analysis

10 points

Instructions:

  • This is an individual assignment.
  • Answers to all questions must be put into ONE document. That is, every time, each student can only submit one report document, answering all questions of this assignment, if not explicitly stated otherwise.
  • Students must put answers following each question in this assignment. The instructor will not grade a report with only answers in it and the student gets zero for such an assignment. An assignment report must include original questions.
  • Students MUST submit the finished assignment in either Microsoft Word or pdf format to Webcourse. The doc must be submitted as ONE standalone file and cannot be tarred or zipped into a container.
  • All required files or docs must be submitted in one submission (last submission). Note: Blackboard allows unlimited number of submission of one assignment by students.
  • Refer to Print screen on how to take a screenshot. Pressing the Alt key in combination with PrtSc will capture the currently selected window.

WARNING: This assignment contains a malware that works under the latest Windows. Please do not abuse it and run the malware only on the provided sandbox. The instructor is not responsible for any consequence from any abuse.

Problems:

Answer each question following the original question. Do NOT delete the original question.

Lab 3-1

Configure the WINHOST01 VM to run ApateDNS and configure the LINUX01 VM to run inetsim. Please download Lab03-01.7z (password to unzip: malware) from WebCourses under this assignment.

  • Instructions to configure WINHOST01 to run ApateDNS.
  • Instructions to configure LINUX01 to run inetsim.
    • debug.log: debug information in case inetsim is run in debug mode
    • main.log: information logs (services started, stopped, …)
    • service.log: when connections are made against the services, logs are added to this file
  • Basically follow this tutorial, but read the rest of the instructions first.
  • The tutorial requires the installation of .Net Framework 3.5. The required “sxs” folder is provided by the instructor as sxs.7z within Lab03-01.7z. (Note: the instructor downloaded the Windows Server 2016 iso file, mount it, zip the required “sxs” folder to get sxs.7z).
  • Download ApateDNS.
  • Refer to Using INetSim on Kali Linux to configure inetsim. Note: read only the section of Configuring inetsim of this article.
  • Log files are stored in the /var/log/inetsim/ directory:
  • Tips:
  • Use chmod 755 change the property of the folder /var/log/inetsim; otherwise, cannot use cd to change folder.
  • Use sudo to run commands under Kali whenever necessary.

Questions

  • Use ApateDNS and direct network traffic from WINHOST01 to LINUX01. Provide a screenshot of the configured and working ApateDNS following this question. (1 point)
  • Copy and paste the content of service.log following this question. (1 point)

Lab 3-2

Please download Lab03-02.7z (password to unzip: malware) from WebCourses under this assignment.

Questions

  • Run the following tools in Chapter 3 on Lab03-02.exe, and copy and paste the output of the output or screenshot from these tools below. (2 points)
  • What are this malware’s imports and strings? (2 points)
  • What are the malware’s host-based indicators? (2 points)
  • Are there any useful network-based signatures for this malware? If so, what are they? (2 points)

Output from procmon

Output from Process Explorer

Lab03-01.7z

Lab03-02.7z