Lab 1 - Automated Tools

In this lab, you will use automated tools to take a preliminary look at four sample binaries of interest.

Pre-Lab

Follow the Virtual Machine setup instructions and install REMnux - a Linux distribution for reverse engineering malware - on your system.

Malware Samples

Go to the course Canvas site and download 4 samples from the Lab 1 Assignment into your Remnux virtual machine. Unzip the files with password 'malware'. Use the md5sum command to obtain the hash and look up these malware samples in the websites.

Analysis Tools

Use the following static, dynamic and "hybrid" analysis tools at your own discretion.

Tip: Instead of uploading the binary and waiting for analysis, just search by the MD5 hash of each binary instead. All the files are well-known pieces of malware that have already been uploaded multiple times.

Deliverables

Create a PDF document that provides the following information on each binary file in an easy-to-read format. (A table would be appropriate). Upload to the Lab 1 Assignment on Canvas when finished.

  • Malware filename
  • Hashes of binary
    • MD5 hash of binary (legacy, some risk of hash collisions)
    • SHA256 hash of binary (modern)
    • Ssdeep hash of binary (fuzzy hash, used to compare similar but not identical binaries)
  • Executable type (32 or 64 bit)
  • Per-section table
    • Section name
    • MD5 hash (malware authors might change some data portion but keep the main malware code identical)
    • Entropy (high entropy per byte in 7-8 range might indicate packed/encrypted code)
  • Imports - Name of each library DLL that is imported (if any)
  • List of library functions that are imported
    • Note: I don’t want a list of ALL library functions (boring, tedious…) Rather, I want “interesting” functions that could indicate actions that the malware could take based on your professional judgment
  • Exports - Function calls that are exported (if any)
  • Strings
    • Note: I don’t want a list of ALL strings (boring, tedious...). Rather, I want “interesting strings” based on your professional judgment (Indicators of Compromise or hints about functionality)
  • Persistence Mechanism (Registry keys, files, …)
  • Files created (limit to non-library/non-Windows files)
  • Mutexes / "mutants" created (often used by malware to prevent reinfection). Limit to non-library/non-Windows mutexes
  • Network communication (hostname, IP, port, protocol)
  • Executive summary - What do you suspect that this malware is capable of doing?
    • Beaconing? Send periodic messages to malware authors with basic info on infected computer
    • Command and control?
    • Data exfiltration? Send stolen data to malware authors
    • File encryption & ransom?
    • Spamming?
    • Network scanning?