For this question, use the file labeled stage1.exe to perform a comprehensive malware analysis spanning all the phases we covered so far. Specifically, perform the following analyses:
Perform a comprehensive static properties analysis using whatever tools you deem appropriate. Based on your analysis, formulate a few hypotheses, supported with relevant evidence (screenshots) about the potential functionality of the specimen. Use the following table to list your hypotheses and supporting evidence:
Functionality
File system activity
Registry activity & persistence mechanism
Network communications
Infect your system with the stage1.exe specimen, as many times as needed, and perform a comprehensive behavioral dynamic analysis using whatever tools you deem appropriate. Based on your analysis, answer the following questions making sure to explain what you did to arrive at your answer and to support your answer with appropriate screenshots.
1. What new processes does the specimen stage1.exe create? support your answer with appropriate screenshots.
2. What files, if any, does the specimen stage1.exe drop on the system? support youranswer with appropriate screenshots.
3. What hostnames/domains does the specimen stage1.exe attempt to connect to? support your answer with appropriate screenshots.
4. What files, if any, does the specimen stage1.exe attempt to download? support your answer with appropriate screenshots.
Restore your system to a clean state
Load the specimen stage1.exe into the x64/32dbg debugger and examine its disassembled output. Specifically,
Restore your system to a clean state
Armed with the information/knowledge you gained from the previous analyses, infect your system with the stage1.exe specimen feeding it whatever resources and information it needs to carry out its final mission (hint, if given all it needs, the specimen pops up a Window with a message for you. The title of the window is uDidIt. See screenshot below where I blocked the actual message). Explain what you did and support your answers with screenshots.
For this question, use the file labeled gedown.exe to perform a behavioral dynamic analysis of the network interactions of the specimen. Specifically,
For this question, use the file labeled crack-the-pwd.exe and perform a dynamic code-level analysis using a debugger to discover the correct password for the program. Specifically, perform the following steps:
Open a command prompt and run the program 3 times to familiarize yourself with its functionality, as follows:
With no arguments
With one argument that is not 4 characters long
With one argument that is 4 characters long
Load the program into x64/32dbg debugger. Since the program takes argument, one way to load it in the debugger is using the command prompt. See screenshot below where I loaded crack-the-pwd.exe into the debugger and provided ohioas the password
Examine the disassembled output in the debugger. Specifically, identify the following making sure to provide screenshotsto support your answers:
The disassembled code of the function(subroutine) that checks the number of arguments, verifies the length of the password the user entered, and manipulates (e.g., encrypts) the password the user entered.
The disassembled code of the function (subroutine) that checks whether the password that the user entered is correct. The function does so by comparing the encrypted password as returned by the function identified in item a above to the hard-coded password.
Based on your understanding of the functionality of the program (step 1) and the disassembled program (step 2), identify the correct password for the programmaking sure to explain how you arrived at your answers (encryption key, encryption algorithm, etc.) and to support your answers with screenshots.
Finally, test the password you identified. If it is correct, it should return a message to that effect (see screenshot below)