27.2.10 - Lab - Extract an Executable from a PCAP
docx
keyboard_arrow_up
School
Southern Illinois University, Carbondale *
*We aren’t endorsed by this school
Course
314I
Subject
Information Systems
Date
Nov 24, 2024
Type
docx
Pages
5
Uploaded by kingabdullahqwerty
27.2.10 - Lab - Extract an
Executable from a PCAP
What are all those symbols shown in the Follow TCP Stream window? Are they connection noise? Data? Explain.
The symbols are the actual contents of the downloaded file. Because it is binary file, Wireshark does not know how to represent it. The displayed symbols are Wireshark’s best guess at making sense of the binary data while decoding it as text.
There are a few readable words spread among the symbols. Why are they there?
Those are strings contained in the executable code. Usually, these words are part of messages provided by the program to the user while it runs. While more of an art than a science, a skilled analyst can extract valuable information by reading through these fragments.
Challenge Question: Despite the W32.Nimda.Amm.exe name, this executable is not the famous worm. For security reasons, this is another executable file that was renamed as W32.Nimda.Amm.exe. Using the word fragments displayed by Wireshark’s Follow TCP Stream window, can you tell what executable this really is?
Scrolling all the way down on that window reveals that this is the Microsoft Windows cmd.exe file.
Why is W32.Nimda.Amm.exe the only file in the capture?
Because the capture was started right before the download and stopped right after. No other traffic was caught while the capture was active.
The file command gives information on the file type. Use the file command to learn a little more about the malware, as show below:
[analyst@secOps ~]$ file W32.Nimda.Amm.exe
W32.Nimda.Amm.exe: PE32+ executable (console) x86-64, for MS Windows
[analyst@secOps ~]$
In the malware analysis process, what would be a probable next step for a security analyst?
The goal is to identify the type of malware and analyze its behavior. Therefore, the malware file should be moved to a controlled environment and execute it to watch its behavior. Malware
analysis environments often rely on virtual machines and are sandboxed to avoid damage to non-test systems. Such environments usually contain tools that facilitate monitoring of the malware execution; resources usage, network connections and operating system changes are common monitored aspects.
There are also a few Internet-based malware analysis tools. VirusTotal (virustotal.com) is one example. Analysts upload malware to VirusTotal, which in turn, executes the malicious code. After execution and a number of other checks, VirusTotal returns a report to the analyst.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help