Comprehensive Malware Analysis: Static and Dynamic Analysis Techniques

Question 1: Comprehensive Malware Analysis (40 points)

For this question, use the file labeled stage1.exe to perform a comprehensive malware analysis spanning all the phases we covered so far. Specifically, perform the following analyses:

1. Static Properties Analysis

Perform a comprehensive static properties analysis using whatever tools you deem appropriate. Based on your analysis, formulate a few hypotheses, supported with relevant evidence (screenshots) about the potential functionality of the specimen. Use the following table to list your hypotheses and supporting evidence:

Functionality
File system activity
Registry activity & persistence mechanism
Network communications

1. Behavioral (Dynamic) Analysis

Infect your system with the stage1.exe specimen, as many times as needed, and perform a comprehensive behavioral dynamic analysis using whatever tools you deem appropriate. Based on your analysis, answer the following questions making sure to explain what you did to arrive at your answer and to support your answer with appropriate screenshots. 

1. What new processes does the specimen stage1.exe create? support your answer with appropriate screenshots.

2. What files, if any, does the specimen stage1.exe drop on the system? support youranswer with appropriate screenshots.

3. What hostnames/domains does the specimen stage1.exe attempt to connect to? support your answer with appropriate screenshots.

4. What files, if any, does the specimen stage1.exe attempt to download? support your answer with appropriate screenshots. 

Restore your system to a clean state

Load the specimen stage1.exe into the x64/32dbg debugger and examine its disassembled output. Specifically,

1. Identify and analyze the FindResourceA API call. Specifically, answer the following questions making sure to explain how you arrived at your answers and support your answers with screenshots. 

1. What are the parameters this API expects to receive?

2. How would you characterize the purpose of this API and what specific functionality does it provide to the stage1.exe specimen?

1. Interactive Behavioral (Dynamic) Analysis

Restore your system to a clean state

Armed with the information/knowledge you gained from the previous analyses, infect your system with the stage1.exe specimen feeding it whatever resources and information it needs to carry out its final mission (hint, if given all it needs, the specimen pops up a Window with a message for you. The title of the window is uDidIt. See screenshot below where I blocked the actual message). Explain what you did and support your answers with screenshots.

For this question, use the file labeled gedown.exe to perform a behavioral dynamic analysis of the network interactions of the specimen. Specifically,

1. What host(s)(identified by IP addresses or names) does the malware try to communicate with AND what port number(s) on the remote host(s) does the malware try to connect to? support your answer with appropriate screenshots

2. Armed with information about the host(s) the malware attempts to connect to, proposeand implement a solution(s) on the REMnux VM to provide the malware with the resource(s) it needs. Explain what you did and provide evidence (e.g., screenshots) showing that the proposed/implemented solution did in fact allow the malware to complete the communications it seeks to establish.

3. Assuming that the solution from 2 above worked, what is the name of the filethis specimen expects to download from its C2 and what data, if any, does the specimen exfiltrate? Support your answer with appropriate screenshots

4. Describe(you do not need to do anything, just describe) how would you go about finding out what instructions the malware expects to the receive in the file it seeks to download?

For this question, use the file labeled crack-the-pwd.exe and perform a dynamic code-level analysis using a debugger to discover the correct password for the program. Specifically, perform the following steps:

Open a command prompt and run the program 3 times to familiarize yourself with its functionality, as follows:

With no arguments

With one argument that is not 4 characters long

With one argument that is 4 characters long

Load the program into x64/32dbg debugger. Since the program takes argument, one way to load it in the debugger is using the command prompt. See screenshot below where I loaded crack-the-pwd.exe into the debugger and provided ohioas the password

Examine the disassembled output in the debugger. Specifically, identify the following making sure to provide screenshotsto support your answers:

The disassembled code of the function(subroutine) that checks the number of arguments, verifies the length of the password the user entered, and manipulates (e.g., encrypts) the password the user entered.

The disassembled code of the function (subroutine) that checks whether the password that the user entered is correct. The function does so by comparing the encrypted password as returned by the function identified in item a above to the hard-coded password.

1. The variablesthat each function define
2. The argumentsthat each function takes
3. The conditional jumpsthat are associated with each if, if/else statements, if any
4. The conditional jumps that are associated with loops, if any.
5. Data manipulation operations(hint, this program utilizes xor to encrypt the password)

Based on your understanding of the functionality of the program (step 1) and the disassembled program (step 2), identify the correct password for the programmaking sure to explain how you arrived at your answers (encryption key, encryption algorithm, etc.) and to support your answers with screenshots.

Finally, test the password you identified. If it is correct, it should return a message to that effect (see screenshot below)