24 April 2018

Malware Analysis Report

Final: Malware Analysis Report

You will receive a PDF that does contain an attack. The attack will deliver and execute another program onto your VM environment.

It will be your job to use malware analysis methods learned from this class or on your own to document specific characteristics and behaviors of the malware. You will need to employ the methods learned in HW01 to collect traffic from the malware. You will also need to provide some yara signatures derived from static analysis, similar to what’s described in HW02 and HW03. You will also need to use the techniques from HW04 to perform some dynamic analysis to identify the actions taken by the malware upon successful execution.

A basic outline of the report is provided below. The PDFs were sent to you on Monday April 23rd 2017.

PDF Static Analysis

PDF File Name:
PDF MD5 Hash:
PDF SHA-1 Hash:
PDF Creation Date:
PDF Modification Date:
PDF Title:
PDF Author:
PDF Creator:
PDF Producer:
Number of named PDF objects:
List of PDF object numbers that contain streams:
List the object number (or numbers) that contain streams that causes the exploit:

Create a yara rule that you can use to identify the object above, using a command like the following:

pdf-parser.py -y your-rule.yar attack.pdf

If I run the above command, pdf-parser.py should be able to show me the same object(s) that you listed above for the exploit. Include this yara rule in your submission. Name it username-pdf.yar (where username is your UC user name).

PDF Dynamic Analysis

All of the PDFs you received were tested to exploit in the following environment:

Adobe Acrobat Reader 8.0
Windows XP

What system-level effects does the PDF cause Acrobat Reader to take in order to get the backdoor onto the system (writes files to disk, deletes files, etc…)?

For instance, the PDF may write one or more files to disk as well as execute one or more subprocesses (including the backdoor). Please list the names of these files as well as the process names.

How does the installed program appear to be embedded within the PDF document?

What happens when you attempt to execute the PDF in a different Acrobat Reader and Windows version?

Backdoor Static Analysis

The PDF intends to install a backdoor on the system (eventually). This may occur directly from the PDF, or there may be a couple more steps that occur following the PDF to get the backdoor installed. Identify which EXE file installed on the system acts as the backdoor, and analyze it.

EXE Filename:
EXE Compile Time:
EXE Type (.NET or Normal WinAPI executable? 32-bit? 64-bit?):
DLL Imports (DLL filename, Symbol name):
How does the EXE achieve persistence (Registry Run? Start Menu? Service?):

Analyze Strings from Malware:

Do any file names appear to reflect files written during malware execution (hint: you will want to use IDA Free to inspect CreateFileA calls, the data passed to them, and similar). If so, what are these file names (and full paths if present)?

Select at least 10 strings from the backdoor that do not occur in the benign set of EXE data I provided. Use these to create a strings-based yara signature that doesn’t generate any hits on the normal windows programs provided. Include the command that you ran to test this.

Include the output of running yara with the “-s” option using this yara rule against the backdoor EXE file. Name your yara signature username-strings.yar and the output file name should be named username-strings.out. This should be similar to what you did in HW03. The grading for this portion will depend upon whether your signature causes any detections on the benign exe set I posted for HW03.

Backdoor Binary Analysis (decryption routine)

The backdoor contains a configuration which is encrypted. Can you identify where the encrypted configuration fields are located within the file? Can you identify which function is the decryption routine used to decrypt these fields prior to using them in system API calls? Provide the decryption keys.

Provide pseudocode or Python or other scripting language describing this algorithm (hint: it is a relatively simple encryption code, not RC4 or anything exotic like that).

Backdoor Dynamic Analysis

The malware should attempt to communicate to the Internet. Identify the domain name that the malware is attempting to use to communicate to the Internet, as well as the TCP port.

You will then need to configure your VM to force the DNS resolution for that domain name to resolve to an IP address that you control within your virtual environment. Utilize some method for capturing the traffic beacon that is sent when the malware successfully connects (you may want to utilize what you learned in the earlier HW01 and HW04, in order to capture the traffic). It is common to do this with two VMs, one of them (such as Remnux) pretending to be the server. However, it is also possible to do this entirely on your windows host, but you would need to install extra software (such as netcat or fakenet).

Where was this EXE installed on the system?
Were any other files written to disk during execution?

Document the HTTP traffic:

What is the HTTP path requested?
What is the HTTP command/verb being used?
What is the User-Agent value being sent (one of the HTTP headers)?

The malware should be able to communicate with the bdconsole.py file provided in HW04. However, the TCP port number that is used will differ from the default one that I provided in that script.

Home

tags: malware yara pdf assignment

CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis