Farhan_Mohd_ IST266_Lab2.2
docx
keyboard_arrow_up
School
Greenville Technical College *
*We aren’t endorsed by this school
Course
266
Subject
Information Systems
Date
Feb 20, 2024
Type
docx
Pages
2
Uploaded by DoctorStrawSparrow4
1.
Access the VirusTotal page at
https://www.virustotal.com
.
2.
Run a search for the IP address of 82.221.105.125.
3.
Use VirusTotal and any other web resources you have learned about so far during class to complete the remaining questions.
One FQDN that appears to be related to an email server is mail.smtp2web.com.
4.
Based on GeoIP data, where in the world is the IP address of 82.221.105.125 located?
The IP address is located in Russia.
5.
Review the different domains that are hosted on the IP. What would be one FQDN that appears to be related to an email server?
70 anti-malware providers detect the file as malicious while 20 do not. This means the file likely contains obfuscated or new malware not yet identified by some anti-malware solutions.
6. Agent.Portable.EXE
9.
What is the size of the file?
The size of the file is 62,528 bytes.
10.
What type of file is this?
The file type is Portable Executable (PE).
11.
When was the file’s “Creation Time”?
The file's Creation Time was 2021-08-12 19:24:00 UTC.
12.
When was the file first reported to VirusTotal?
The file was first reported to VirusTotal on 2021-08-21 22:53:03 UTC.
13.
Click on the 'Relations' tab. Include a screenshot of the Relations graph displayed. What do the displayed icons and connections mean? (25 – 50 words)
The Relations graph shows related files and their types of association like similar, parent, or child. This provides context on the file's relationships and classification.
14.
Click on the 'Behavior' tab and launch one of the Sandbox choices. Sandboxes are a safe environment, typically a secure virtual machine, in which files can be opened to determine if
the files contain any type of malware.
The sandbox results show the malware attempting DNS lookups for domains like openmx.eu and api.apiflash[.]com, opening files like explorer.exe and wmiprvse.exe, and accessing keys in the Windows registry.
15.
This file should be considered malicious because:
Most anti-malware providers detect it as malware
Its behavior in sandboxes is inconsistent with typical file behavior and suggests malicious intent
It was likely designed to infiltrate systems without authorization based on the DNS and process activity.
16.
Does the malware attempt any outbound network communication to the Internet? If so, what isone of the domains?
explorer.exe is one file opened.
18. Does the malware access the Windows Registry at all?
Yes, the malware accesses the Windows Registry.
19.Specify three different reasons why you would consider this a malicious file.
1
. The majority of antivirus solutions detect it as malware. This shows malicious behaviors and code. 2
. In sandboxes it performs suspicious activities like DNS lookups and process execution not typical of legitimate software. 3
. It was likely created to infiltrate systems for unauthorized
access or data theft based on the DNS and process behaviors observed.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
- Access to all documents
- Unlimited textbook solutions
- 24/7 expert homework help