Dynamic Malware Monitoring
HW04: Dynamic Malware Monitoring
This lab has you analyze a custom malware sample that I have configured. The malware is configured to start up, perform some actions, and then subsequently attempt to connect to a remote listener. I have provided a Python program to use as a remote listener here: bdconsole.py.
You will need to use dynamic analysis techniques that were discussed in class to analyze the malware running inside of a virtual machine, and document the actions taken by the malware to install itself on the system and establish communication:
- Any method is uses to persist (restart after reboot)
- Any new files it writes to disk
- Any DNS lookups it performs
- The TCP port it uses to communicate
- Examples and discussion of what the network traffic looks like (some hints in the bdconsole.py code)
- From the adversary standpoint, what on the system does the malware give the user access to?
You will need to write a report that, for each step, includes a brief explanation of how you gathered the information from the running system (monitoring/instrumentation tool used, what feature was used), plus screen shots of the information where you identified it.
You will probably want to review some of the dyanmic analysis talks in the Week 8 and Week 9 Lectures. You may use any tools you feel are suitable for learning the information, such as sysmon, procmon, CaptureBAT, etc.
Submit the PDF or MSOffice doc report to blackboard (if not using MS Word, please submit a PDF version so that it displays in the blackboard system). You may also submit some of the outputs from any analysis tools if you feel it helps complete your report. I will be looking for documentation of all of the six items listed above.