PROG8301-24W-Asignment-1-PartB

docx

School

Conestoga College *

*We aren’t endorsed by this school

Course

PROG8301

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

13

Uploaded by CountMaskBee36

Report
Assignment-1 Malware and Hacking PRO8301 Table of Contents Table of Contents Assignment 2 ......................................................................................................................................... 3 Specification ...................................................................................................................................... 3 RS6945, PROG8301
1. Using BASIC STATIC ANALYSIS TOOLS and given Lab01-01.exe and Lab01- 01.dll (borrowed from the Practical Malware Analysis book), answer the following questions. For each, please provide a screen-shot with your written answer ............................................................................................... 3 (a) Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures? .................................................................................................. 3 (b) When were these files compiled? ............................................................................................ 4 (c) Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators? ............................................................................................................................ 5 (d) Do any imports hint at what this malware does? If so, which imports are they? ..................... 6 (e) Are there any other files or host-based indicators that you could look for on infected systems? Version W23(master) 1 ................................................................................................... 7 (f) What network-based indicators could be used to find this malware on infected machines? .... 7 (g) What would you guess is the purpose of these files? ............................................................... 8 2. Using BASIC STATIC ANALYSIS TOOLS and given Assignment1 q2.exe, answer the following questions. For each, please provide a screen-shot with your written answer .................................... 8 (a) Upload the Assignment1 q2.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? ........................................................................................................ 8 (b) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible ..................................................................... 9 (c) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you? ............................................................................................................................ 9 (d) What host- or network-based indicators could be used to identify this malware on infected machines? .................................................................................................................................... 10 3. Using BASIC DYNAMIC ANALYSIS TOOLS (and static analysis tools, if you wish) and given the unknown program named Assignment1 q3.exe, answer the following questions. For each, please provide screen-shot(s) with your written answer ............................................................................ 10 (a) Record your initial analysis data and observations ................................................................. 10 (b) What are the malware’s host-based indicators? ..................................................................... 10 (c) Are there any useful network-based signatures for this malware? If so, what are they? ........ 11 (d) Describe (with screen shots as evidence), as many features as possible in this unknown binary executable ........................................................................................................................ 11 RS6945, PROG8301
Assignment 2 Specification 1. Using BASIC STATIC ANALYSIS TOOLS and given Lab01-01.exe and Lab01- 01.dll (borrowed from the Practical Malware Analysis book), answer the following questions. For each, please provide a screen- shot with your written answer. (a) Upload the files to http://www.VirusTotal.com/ and view the reports. Does either file match any existing antivirus signatures? Figure 1 Virustotal report generated. RS6945, PROG8301
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
Figure 2 Signature flagged by various vendors. (b) When were these files compiled? Figure 3 Compilation time. RS6945, PROG8301
(c) Are there any indications that either of these files is packed or obfuscated? If so, what are these indicators? Figure 4 No obfuscation detected in .exe. Figure 5 No obfuscation detected in .dll. RS6945, PROG8301
(d) Do any imports hint at what this malware does? If so, which imports are they? Figure 6 Kernel32.dll and Msvcrt.dll imported by the malicious file. Figure 7 Dependency Walker scans for all the dependencies imported by Lab01-01.dll file. Based on these imports we can say pretty clearly that the malware hints to communicate over the network (possibly create a connection to an attacker) and has the ability to execute commands, manipulate files, processes such as create, destroy enabling hacker to do anything to the system. RS6945, PROG8301
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
(e) Are there any other files or host-based indicators that you could look for on infected systems? Version W23(master) 1 Figure 8 New file kerne1.dll disguise of kernel.dll (its L not 1 in kernel) We can see new file named as kerne1.dll being generated possibly containing malicious code and being disguised as kernel.dll, we can notice the difference between an ‘l’ and ‘1’(one) but it may not be always clearly visible, making it easy for attacker to hide malicious injection files. (f) What network-based indicators could be used to find this malware on infected machines? Figure 9 Most likely an IP address detected. RS6945, PROG8301
We can see that an IP address is hard coded into this exe file most likely it is the proxy used by the attacker to connect to the target. The target machine can establish connection with this IP from inside the system easily making it easy for attacker to connect and gain access to the internal of the network and system. (g) What would you guess is the purpose of these files? The purpose of these files is like humans having different parts of the body, each component here enables a certain operation that the malware can perform adding tools to its broad range of inventory making it possible for the malware to do all sorts of things on the system. In our case it is mostly to do with files, process and network communication, an experienced hacker can take it further making it gain privileged access to the system by creating hooks on the NTDLL.dll and gaining access to kernel resources. 2. Using BASIC STATIC ANALYSIS TOOLS and given Assignment1 q2.exe, answer the following questions. For each, please provide a screenshot with your written answer. (a) Upload the Assignment1 q2.exe file to http://www.VirusTotal.com/. Does it match any existing antivirus definitions? Figure 10 Full Report of the executable by Virustotal. RS6945, PROG8301
(b) Are there any indications that this file is packed or obfuscated? If so, what are these indicators? If the file is packed, unpack it if possible. Figure 11 Code obfuscation found. (c) Do any imports hint at this program’s functionality? If so, which imports are they and what do they tell you? Figure 12 Files imported. RS6945, PROG8301
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
(d) What host- or network-based indicators could be used to identify this malware on infected machines? Figure 13 Changes made to the registry after the execution of the malware. These new/modified keys can serve as indicators of infected system. We can check the keys created by this program on the system and we can analyse or look for these patterns or keys on other systems to determine if the system is infected or not. We can also look into other sorts of network and file based activities done by the perform and use the same to detect infection on other systems. 3. Using BASIC DYNAMIC ANALYSIS TOOLS (and static analysis tools, if you wish) and given the unknown program named Assignment1 q3.exe, answer the following questions. For each, please provide screen-shot(s) with your written answer. (a) Record your initial analysis data and observations i was able to gather various information on both network and file based activity. At first I noticed a new process named as kernel.exe being created and running which was suspicious then I checked the registry I found a new key for this program being added into it among other keys later on analysis. I noticed the traffic it generated by this process with its process id. It contacted a remote ip address on port 80. (b) What are the malware’s host-based indicators? The process kernel.exe and the registry key of it adding in the registry along with other keys can serve as our host based indicators, RS6945, PROG8301
(c) Are there any useful network-based signatures for this malware? If so, what are they? yes there is one network based indicator we can see its the IP address used the attacker and any traffic to this IP should be flagged (d) Describe (with screen shots as evidence), as many features as possible in this unknown binary executable. RS6945, PROG8301
In conclusion it imports various dlls which makes it capable of performing various operations on the system and it creates a new process and disguises it as kernel.exe and launches it to connect to a remote ip used by the attacker. RS6945, PROG8301
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
RS6945, PROG8301

Related Documents

ORG 726 Week-2 DQ 2 Describe the major data categories - Copy.docx
Project Risk Management Practice Quiz 3.docx
assess.pdf
Project Risk Management Practice Quiz.docx
PROG8281_24W_Projecct 1.docx
Project Risk Management Practice Quiz 2.docx
153.4.2 Lab Answers.pdf
153.2.4 Lab Answers.pdf
153.2.5 Lab and Answers -Done with Mike.pdf
Week 6Topic 2 discussion.docx
Week 4 Topic 2 discussion.docx
Week 3 Topic 2 discussion.docx