Differences
This shows you the differences between two versions of the page.
|
cdci:labs:1 [2020/02/21 10:10] mihai.chiroiu [03. [5p] Initial file analysis] |
cdci:labs:1 [2020/02/24 11:01] (current) mihai.chiroiu |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Lab 1. Malware sample analysis ====== | + | ====== Lab01. Malware sample analysis ====== |
| ===== Objectives ===== | ===== Objectives ===== | ||
| Line 32: | Line 32: | ||
| The sample archive contain one malware and uses the "malware" password. | The sample archive contain one malware and uses the "malware" password. | ||
| </note> | </note> | ||
| - | ==== 03. [5p] Initial file analysis ==== | + | ==== 03. [10p] Initial file analysis ==== |
| Your network administrator has provided you with 10 files that look suspicious and where caught by the network security equipment. Your job is to determine if there is any suspicious file and find out as much information about it as possible. Fill in the following data for each file. Try to do this using a (PowerShell) script. | Your network administrator has provided you with 10 files that look suspicious and where caught by the network security equipment. Your job is to determine if there is any suspicious file and find out as much information about it as possible. Fill in the following data for each file. Try to do this using a (PowerShell) script. | ||
| Line 41: | Line 41: | ||
| Is the previous information enough? Does it really help? Use the WinMergePortable.exe program and compare “test1.exe” against “test2.exe”. What about their hashes, how close are them? Consider the file properties and spot the differences. | Is the previous information enough? Does it really help? Use the WinMergePortable.exe program and compare “test1.exe” against “test2.exe”. What about their hashes, how close are them? Consider the file properties and spot the differences. | ||
| - | + | ==== 05. [15p] Behaviour analysis ==== | |
| - | <solution> | + | |
| - | The MD5 hash of the test01.exe is CD3B253FAAE62C0D0EC8CF456FDF083E, while the hash of test02.exe is B97D6A2234092C60F13CDCB8DFA4BE6E, hence there is a big difference between the twos. However, the only change that can be seen in the file details is the File version, 6.1.7601.17514 for test01.exe versus 6.1.7601.17515 for test02.exe. | + | |
| - | </solution> | + | |
| - | ==== 05. [5p] Behaviour analysis ==== | + | |
| <note> | <note> | ||
| Line 61: | Line 57: | ||
| </note> | </note> | ||
| - | ==== 06. [5p] Malware network activity monitoring ==== | + | ==== 06. [10p] Malware network activity monitoring ==== |
| In this exercise you will monitor the network connections of the malware. Start Wireshark before running the malware and save the captures. You can copy/paste the pcap file outside the VM and analyze it. Please write down the followings: | In this exercise you will monitor the network connections of the malware. Start Wireshark before running the malware and save the captures. You can copy/paste the pcap file outside the VM and analyze it. Please write down the followings: | ||
| Line 71: | Line 67: | ||
| For a proper analysis of the malware traffic you can use the netstat tool to view all active connection. It helps to narrow down the traffic from a specific process. Open it before running the application and see the outgoing connections. You can also use TcpLogView to save the data in a readable format. | For a proper analysis of the malware traffic you can use the netstat tool to view all active connection. It helps to narrow down the traffic from a specific process. Open it before running the application and see the outgoing connections. You can also use TcpLogView to save the data in a readable format. | ||
| - | ==== 08. [5p] Windows registry activity analysis ==== | + | ==== 08. [10p] Windows registry activity analysis ==== |
| Besides network access, a malware will try to make itself hard to find and to remove, adding different registry entries. Use the Procmon tool to monitor the entries in the registers done by the malware. | Besides network access, a malware will try to make itself hard to find and to remove, adding different registry entries. Use the Procmon tool to monitor the entries in the registers done by the malware. | ||
| Line 79: | Line 75: | ||
| * Try to find the registry location that allows the malware to run at boot time. (Hint: https://docs.microsoft.com/en-us/windows/desktop/setupapi/run-and-runonce-registry-keys). Remove it using Registry Editor. | * Try to find the registry location that allows the malware to run at boot time. (Hint: https://docs.microsoft.com/en-us/windows/desktop/setupapi/run-and-runonce-registry-keys). Remove it using Registry Editor. | ||
| - | ==== 09. [5p] File creation monitoring ==== | + | ==== 09. [10p] File creation monitoring ==== |
| Use the previous data saved (or re-run the procmon tool) and look at the files created and opened by the malware. | Use the previous data saved (or re-run the procmon tool) and look at the files created and opened by the malware. | ||
| Line 89: | Line 85: | ||
| Modify the malware using the ResourceHacker tool (e.g., version number) and make sure that that hashes changes. Enable the Windows Defender Virus and Threat Defender. See if it can find the old executable as malware, what about the new one? | Modify the malware using the ResourceHacker tool (e.g., version number) and make sure that that hashes changes. Enable the Windows Defender Virus and Threat Defender. See if it can find the old executable as malware, what about the new one? | ||
| - | ==== 11. [5p] Threat intelligence ==== | + | ==== 11. [10p] Threat intelligence ==== |
| For more information of the malware please search for the hash on “https://www.virustotal.com”. What about the new hash, did the virustotal website find it? You can also upload the new file and see the results. Try to see if you can also spot other types of behavior that the malware does in the security report provided. | For more information of the malware please search for the hash on “https://www.virustotal.com”. What about the new hash, did the virustotal website find it? You can also upload the new file and see the results. Try to see if you can also spot other types of behavior that the malware does in the security report provided. | ||
| - | ==== 12. [5p] Threat hunting ==== | + | ==== 12. [10p] Threat hunting ==== |
| The selected malware uses bitcoin as a payment alternative. Investigate how much money did they earned. | The selected malware uses bitcoin as a payment alternative. Investigate how much money did they earned. | ||
| - | <solution> | ||
| - | </solution> | ||
