CS6038/CS5138 Malware Analysis, UC

Course content for UC Malware Analysis

View on GitHub
23 January 2020

Building a Custom Attack

by Coleman Kane

LAB02: Building a Custom Attack

Recreate the attack that I demonstrated in the video Tuesday, and successfully compromise the Windows 7 VM. At the completion of this, you will not want to discard the Windows 7 VM. Instead, you will want to save a snapshot of the VM after the exercise is completed, and give the snapshot a descriptive name. Screenshot the snapshot view for the Windows 7 VM, and include that screenshot in the ZIP you’ll upload to the system.

You will make the following modifications to the attack:

  1. Choose a different file name for the EXE file
  2. Choose a different file name for the ACE file
  3. Still use getsystem and sessions -i to single out the new session
  4. Use the download module to download one or more files from the host (feel free to pre-populate some documents before you compromise the Win7 VM)
  5. Use the upload module to upload a copy of the backdoor to another Windows-system-specific directory
  6. (one of two ways) (a) Use the persistence command, and choose one of the options, to make sure the malware gets executed even if the copy in the StartUp folder is deleted. You may need to try multiple variants, and also there might be some delay or some user action that needs to occur to trigger it. (b) Alternately use one of the mechanisms described here, via a shell or other mechanism: https://pentestlab.blog/2019/10/01/persistence-registry-run-keys/
  7. Demonstrate this occurring by rebooting the Win7 VM and screenshotting the Pupysh session when the backdoor connects and is reported in the shell

Remember: Don’t immediately restore the VM back to the last saved state. Instead, save the machine state and then take a snapshot.

Submit to the assignment in Canvas a ZIP file, encrypted with password “cs6038”, containing the following:

  1. Your ACE archive
  2. Your screenshot of the snapshot view after snapshotting the VM at the completion of the exercise
  3. Your screenshot of the successful connection to Pupysh after rebooting the VM
  4. Write up documenting how you accomplished each of the steps above, and include as a PDF or document
tags: malware assignment