Malware Analysis Report

Project Objectives

In this project, you will write a malware analysis report on an unknown piece of malware, demonstrating all of your static, dynamic, and code reversing skills.

Proposal

First, pick a malware executable that you would like to analyze. This malware must be:

  • A Microsoft Windows executable (Win32, PE format), x86 or x64, that runs in your Windows 10 VM.
  • Identified as malware, either by internet commentary (blog posts, etc.) or by a cohort of virus scanners at https://www.virustotal.com. There should be no disagreement about whether this binary is malware or not.
  • Only available as the compiled binary. (i.e., The high-level source code to this malware must not have been leaked online)
  • The instructor reserves the right to place additional restrictions on the malware selection.

You can obtain your malware executable from a variety of sources:

  • Your instructor has obtained a "small" collection of malware and posted it on the cyberlab download site (in comp272/malware). You can access it via the lab network, or by logging in with the standard lab login. Both the zip archive and the file inside are named with the SHA-256 hash. The .exe extension is not present, but these files should all be Win32 PE executables.
  • A variety of public resources are listed at the Malware Samples for Students page. Plan ahead - some sites require you to request a login, and may take a while to respond! You may be interested in "The Zoo" or Contagio as a curated list of malware.

Suggestion: Pick a piece of malware that runs in Windows 10, can easily be unpacked (or is already unpacked), and has a variety of interesting functions and system calls when viewed in IDA or x64dbg. You may need to examine multiple pieces of malware before you find a good one for this project.

  • Some malware only works on old versions of Windows
  • Some malware (e.g. Point of Sale) only works on systems with special software installed

  • Some malware is very heavily obfuscated or resistant to debugging / RE tools

    Malware in these categories (and more) is best avoided for this project.

Suggestion: Pick a piece of malware that has at least some information publicly available about it. While you will still have to extensively document your analysis report with screenshots as "proof of discovery", at least you will have some idea in advance of what there is to discover.

Once you have picked your malware executable, write a 1-page proposal with the following information:

  • Malware MD5 and SHA256 hash
  • The "name" of the malware as given by antivirus engines, a Google source, or your curated download source
  • A brief description of "what happens when you run the malware?" (You have run it, yes?) This description does not need to be fully comprehensive, but there should be some evidence of something happening on your computer that merits further reverse engineering.
  • A list of significant indicators of compromise provided by "triage" tools like PEStudio and the online tools used in Lab 1.
  • A list of 10 technical follow-up questions that you intend to answer via behavioral analysis or disassembly/debugging tools.
    • Note: At least 5 questions must require disassembly & debugging tools.

Analysis

Analyze the malware. You may want to use a structured Word template or a mind map to help organize your thoughts. Take careful notes, so as not to lose track of any hard-fought insights about the malware.

Checkpoint

Meet with the instructor approximately 2 weeks into your project. (A signup schedule for the week after spring break will be distributed in advance). At this meeting, be prepared to discuss:

  • What did you learn about the malware via static analysis?
  • What did you learn about the malware via behavioral analysis?
    • Files created? Registry edited? Network traffic sent? System calls performed?
  • What specific questions do you intend to answer about the malware via disassembly and debugging tools?

Report

Write a malware analysis report containing your discoveries. In the report, include the following information:

  • Executive Summary - Describe the capabilities of this malware for your non-technical boss in a single page.
    • What are its capabilities?
    • How can the program be detected across enterprise systems?
    • What would data exfiltration (if exists) look like on the network? Can we see if data is taken, or what data was taken?
    • Does the program reveal anything about our adversaries? What are their capabilities? Are they targeting us specifically?
  • Identification - File name(s), file size, hashes (MD5, SHA1, SHA256)
  • Capabilities - Describe what the malware can do
    • Can it infect files?
    • Can it persist across reboots?
    • Can it spread to other systems?
    • Can it leak/exfiltrate data?
    • Can it communicate with the attacker?
    • Can it resist analysis?
  • Dependencies - Describe what the malware needs to run, such as a particular OS version or network access.
  • Indicators of Compromise - Provide a list of useful unique IOCs for your network operations center team or system administrators to detect if this malware is present in their systems. Warning: A copy-and-paste of the “Indicators” tab provided in PE Studio or similar tool is not acceptable here. Many of those are too vague and generic and do nothing to distinguish your malware from many others. If all I wanted was a copy and paste from PE Studio, I wouldn’t need to pay you (the malware analyst) to write this report. You need to provide a “human value-add” over the software. If you feel a particular item from PE Studio is noteworthy, elaborate on why it is important in your report.
  • Behavioral and Code Analysis Documentation - For every capability and IOC listed previously, document your discovery process using the behavioral or code analysis tools. Write a few sentences and provide a screenshot (or few) as evidence proving that you can find this via your malware analysis tools, and are not relying on Google searches or malware analysis reports written by others.

Ask Yourself: If I didn't know this was there (from outside reading), how would I have discovered it with my tools? Document that process.

Report Style: This report should be a narrative report in the classical college "term paper" sense. It should not be a glorified outline, and the prompts above should not be copied verbatim into your report in a Q&A style.

Presentation

Prepare a presentation of your malware analysis. You do not need to cover every IOC that is described in your analysis report. Instead, choose the most interesting part(s) of your malware case study and present it in 10 minutes, with 1 minute of questions. Tell us a story of how your analysis progressed. Your presentation should focus on how you discovered each IOC, not just what the IOC is. Use PowerPoint or equivalent to display your "proof of discovery". Crop and scale your screenshots to contain only the essential information. If desired, you may also discuss "dead ends" that you encountered in your analysis.

Submit a recorded video of your oral presentation with the supporting slides.

For the recorded presentation, don't use the most rudimentary method - pointing your phone camera vaguely towards your laptop screen and hitting record. There are myriad screen recorder applications that, combined with a microphone, will produce high quality visuals and audio. Or if you want to get fancy, something like Open Broadcaster Software Studio has a lot of power.

Grading

Proposal (10 pts)

  • Malware identified (Name, MD5/SHA256) - 1 pts
  • A brief description of "what happens when you run the malware?" - 3 pts
  • Indicators of Compromise identified - 3 pts
  • Technical questions identified (at least 5 requiring debugging/disassembly) - 3 pts

Checkpoint (20 pts)

  • This checkpoint will be graded on a scale of:
    • Excellent progress (20 pts)
    • Good progress (15 pts)
    • Fair progress (10 pts)
    • Poor progress (5 pts)
    • No progress (0 pts)

Report (70pts)

  • Executive Summary - 6 pts
  • Identification - 2 pts
  • Dependencies - 2 pts
  • Capabilities - 10 pts
  • Indicators of Compromise - 10 pts
  • Behavioral and Code Analysis Documentation - 40 pts

Presentation (20 pts)

  • Technical Analysis - 10 pts
  • Visual and verbal communication - 10 pts

Submission

Submit all files to the Canvas CMS site.

There will be separate Canvas assignments for:

  1. Proposal (PDF)
  2. Report (PDF)
  3. Presentation Slides (PDF, PPTX)
  4. Recorded Presentation Video
  5. Malware Sample (ZIP)