Proj 14: Malware Behavior (Lab 11-1) (35 pts.)

What you need:

Purpose

You will practice the techniques in chapter 11.

Downloading the Lab Files

In a Web browser, go here:

http://practicalmalwareanalysis.com/labs/

Download and unzip the lab files.

Follow the instructions for Lab 11-1 in the textbook. There are more detailed solutions in the back of the book. The only purpose of this document is to explain what images to turn in.

Static Analysis with Strings

Examine the strings in Lab11-01.exe. You should find the two items below.

Save an image showing the string SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon as shown below, with the filename "Proj 14a from YOUR NAME".

YOU MUST SUBMIT WHOLE-DESKTOP IMAGES TO GET FULL CREDIT!

Save an image showing the string gina.DLL, as shown below, with the filename "Proj 14b from YOUR NAME".

Static Analysis with PEview

Examine the Lab11-01.exe file in PEview. Find the items below.

Save an image showing these imports, as highlighted below:, with the filename "Proj 14c from YOUR NAME".

Save an image showing the BINARY TGAD 0000 section, as shown below, with the filename "Proj 14d from YOUR NAME".

Dynamic Analysis with Procmon

Run the malware in a virtual machine, while running Procmon to see what it does.

In Procmon, click Filter, "Reset Filter".

Click Filter, Filter. Filter for a "Process Name" of Lab11-01.exe.

Save an image showing these events, as shown below, with the filename "Proj 14e from YOUR NAME".

Resource Hacker

Download Resource Hacker here:

http://www.angusj.com/resourcehacker/

Open Lab11-01.exe in Resource Hacker.

The "BINARY TGAD 0" starts with MZ and contains the telltale text "This program cannot be run in DOS mode", as shown below--this is an EXE file.

Save an image showing the "BINARY TGAD 0" section, as shown below, with the filename "Proj 14f from YOUR NAME".

In Resource Hacker, in the left pane, click 0 ti highlight it, as shown above.

Click Action, Save Resource as a binary file...".

Save the file as YOURNAME-TGAD0.exe, replacing the text "YOURNAME" with your own name.

HashCalc

If you don't have it, get HashCalc here:

http://www.slavasoft.com/hashcalc/

Calculate the MD5 hash of the msgina32.dll file created by running the malware.

The MD5 hash begins with 7ce4, as shown below.

Calculate the MD5 hash of the YOURNAME-TGAD0.exe file, as shown below.

Save an image showing these elements:

Save the image with the filename "Proj 14g from YOUR NAME".

Turning in your Project

Email the images to cnit.126sam@gmail.com with the subject line: Proj 14 from YOUR NAME


Last modified 4-22-16