[SOLVED] CS6035 Malware Analysis Spring26

150.00 $

Category:
Click Category Button to View Your Next Assignment | Homework

You will receive the following solution file(s) instantly after successful payment:

zip file icon Malware-iikoqa.zip (2.9 KB)
Assignment Instructions Updated Recently? Submit Below and we will provide new Solution!
Submit New Instructions
🔒 Securely Powered by:
Secure Checkout
5/5 - (3 votes)

Project Goals

  • Familiarize yourself with the types of behaviors exhibited by real-world malware samples and learn how to safely analyze these behaviors using JoeSandboxCloud.
    • Joe Sandbox detects and analyzes potentially malicious files and URLs across Windows, Android, macOS, Linux, and iOS. It performs in-depth malware analysis and generates comprehensive, detailed reports.
  • Introduce fundamental concepts of malware analysis through hands-on exercises.
    • Work with safe, non-malicious samples to explore static and dynamic analysis techniques.
    • Practice de-obfuscating and executing provided samples to understand their functionality.
    • Submit correct API or network requests to receive flags.

Additional Information:

  • All phases of this project must be submitted through Gradescope.
  • The minimum system requirement is 4 GB RAM for the VM and 8 GB RAM on your host machine.
  • Frequently Asked Questions (FAQ) page is available for reference.
  • The FAQ will be updated regularly. Therefore, before asking a question, make sure to review the entire FAQ. If your question is not answered there, feel free to post it in the Ed Discussion FAQ thread for this project.

Accessing Project Resources

Setup Instructions (0 points)

  1. Download the VM:
    Obtain the project VM from the Canvas Malware Analysis Assignment page. The same file is linked on both Phase 1 and Phase 2 pages—you only need to download it once.

    ⚠️ The file size is over 9 GB. Download it early—do not wait until the last minute!

  2. System Requirements:
    This VM is designed for x86 (Intel) architecture. Students must use a compatible machine. See the Ed Discussion post on VM troubleshooting if you encounter problems.
  3. Import the VM into VirtualBox:
    Double-click the .ova file to automatically launch the import process via VirtualBox.
  4. Login Credentials:
    Use the username and password provided on Canvas to log in to the VM.
  5. Start the Project Environment:
    Open a Terminal window in the VM and run the following command:
    ./StartContainer.sh
    

     

  6. Access the Project Files:
    The container will load all necessary files for the project. Navigate to the appropriate directory before beginning each phase:
    • Phase 1: /home/malware/phase1
    • Phase 2: /home/malware/phase2

Table of contents

Phase 1 (50 points):


Analyze your malware samples (50 points)

You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. Therefore, you should initially assume that each malware sample listed below exhibits every behavior. It is your job to determine whether that assumption is actually true.

Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. Of course, this approach is not entirely practical, as legitimate applications may perform the same actions in a benign manner. We are not concerned with differentiating the two in this assignment, but it is some food for thought.

Clarification of ‘attempted’: We define “attempted” as a specific action that was clearly initiated but failed. By “specific” we mean that it is clear which action is being attempted. For instance, if a registry key is unambiguous (e.g., it is used only to set a startup option) but fails to change, that is considered an attempt. However, if a more generic registry key is involved—one that governs multiple settings—it would not count as an attempt, since the specific action is unclear.

You will encounter that the same API functions can end with either a W or an A. This is standard practice in the Windows API. This document explains the difference (either one could be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-the-windows-api

For each of the following questions, mark (true / false) whether the malware exhibits the identified behavior:

  1. Attempts to get the victim to disable security protections
  2. Deletes Microsoft Office-related registry keys
  3. Creates registry keys associated with Microsoft Excel
  4. Creates any registry values
  5. Drops RegAsm virus
  6. Sends signals to force immediate program termination
  7. Malware file is most likely programmed in C or C++
  8. Attempts to detect presence of the Mirai botnet
  9. Attempts to use a keylogger
  10. Attempts to copy clipboard contents
  11. Hooks registry keys or values to maintain persistence via autostart
  12. Possible Personal Firewall (PFW) or Host-based Intrusion Prevention System (HIPS) evasion
  13. Executes or interacts with splwow64.exe (a Windows system component)
  14. Drops a portable executable file into C:\Windows
    a. The term “drop” in the behavior “Drops file(s)” means to create (or attempt to create) files, not delete them.
    b. For this behavior, we are only concerned with identifying dropped files.
  15. Looks for the name or serial number of a device
  16. Attempts to obscure data (e.g., through encoding, encryption, or obfuscation)
  17. Sends HTTP GET or POST requests without a user-agent header
  18. Uses loops or repeated commands (e.g., pings) to delay execution or evade sandbox analysis
  19. Attempts to override DNS resolution for a specific domain on the local machine
  20. Possible system shutdown behavior

DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.


Download the submission template or use the JSON format below for your answers:

{
  "sample1": {
    "behavior01": ,
    "behavior02": ,
    "behavior03": ,
    "behavior04": ,
    "behavior05": ,
    "behavior06": ,
    "behavior07": ,
    "behavior08": ,
    "behavior09": ,
    "behavior10": ,
    "behavior11": ,
    "behavior12": ,
    "behavior13": ,
    "behavior14": ,
    "behavior15": ,
    "behavior16": ,
    "behavior17": ,
    "behavior18": ,
    "behavior19": ,
    "behavior20": 
  },
  "sample2": {
    "behavior01": ,
    "behavior02": ,
    "behavior03": ,
    "behavior04": ,
    "behavior05": ,
    "behavior06": ,
    "behavior07": ,
    "behavior08": ,
    "behavior09": ,
    "behavior10": ,
    "behavior11": ,
    "behavior12": ,
    "behavior13": ,
    "behavior14": ,
    "behavior15": ,
    "behavior16": ,
    "behavior17": ,
    "behavior18": ,
    "behavior19": ,
    "behavior20": 
  },
  "sample3": {
    "behavior01": ,
    "behavior02": ,
    "behavior03": ,
    "behavior04": ,
    "behavior05": ,
    "behavior06": ,
    "behavior07": ,
    "behavior08": ,
    "behavior09": ,
    "behavior10": ,
    "behavior11": ,
    "behavior12": ,
    "behavior13": ,
    "behavior14": ,
    "behavior15": ,
    "behavior16": ,
    "behavior17": ,
    "behavior18": ,
    "behavior19": ,
    "behavior20": 
  },
  "sample4": {
    "behavior01": ,
    "behavior02": ,
    "behavior03": ,
    "behavior04": ,
    "behavior05": ,
    "behavior06": ,
    "behavior07": ,
    "behavior08": ,
    "behavior09": ,
    "behavior10": ,
    "behavior11": ,
    "behavior12": ,
    "behavior13": ,
    "behavior14": ,
    "behavior15": ,
    "behavior16": ,
    "behavior17": ,
    "behavior18": ,
    "behavior19": ,
    "behavior20": 
  },
  "sample5": {
    "behavior01": ,
    "behavior02": ,
    "behavior03": ,
    "behavior04": ,
    "behavior05": ,
    "behavior06": ,
    "behavior07": ,
    "behavior08": ,
    "behavior09": ,
    "behavior10": ,
    "behavior11": ,
    "behavior12": ,
    "behavior13": ,
    "behavior14": ,
    "behavior15": ,
    "behavior16": ,
    "behavior17": ,
    "behavior18": ,
    "behavior19": ,
    "behavior20": 
  }
}

 

The submitted answers should be in the following format (example only):

{
  "sample1": {
    "behavior01": true,
    "behavior02": false,
    "behavior03": true,
    "behavior04": true
    // ...
  }
}

 

The name of the submission file does not matter, as long as it is in JSON format (e.g., submission.json). Incorrectly formatted JSON files or typos will count as one of your submission attempts.

We have provided a validation script named json_validator.py that will check your file for proper formatting. To run the validator, use:

python json_validator.py /path/to/solution.json

 

Run this from the command line in the /home/malware directory. The validator will either return JSON file correctly formatted. or will list errors.

Note: Using the validation script is not required, but it is highly recommended to prevent submission errors. This script works only for Phase 1 and the Extra Credit portion of the project.

You will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and still count as a submission. If you exceed the 5-attempt limit, any additional submissions will receive a grade of zero. You must complete all 100 behaviors (5 samples × 20 behaviors) using true or false (lowercase, unquoted). Incomplete submissions will also count as a failed attempt.

You must manually select your best submission on Gradescope before the project deadline. No late submissions or resubmission requests will be accepted after the deadline. Please submit your JSON file to the Gradescope assignment: Project Malware Analysis – Phase I

Phase 2 (50 points)

Overview

For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.

To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.

NOTE:

When handling actual malware, additional due diligence is needed to ensure that you don’t accidentally infect your own machine or other machines on your network. The overall process for setting this environment up is outside the scope of this project, but you can find many helpful resources online along with CS6747: “Advanced Malware Analysis” if you wish to continue studies on your own. There are no malicious malware samples in the VM.

Warm Up

To get started we will work through a number of simple scripts to understand some basics about de-obfuscation that will be helpful in later exercises. Malware authors will often obfuscate their payloads through various means to attempt to bypass IPS and AV systems, as well as to increase the effort required by analysts to contain and remediate a breach. Understanding some of these techniques will be important when we go to analyze some of the other samples in this project.

These are some basic concepts of static analysis and are often used by malware authors and red team (penetration testers) operators in their work. All of these warm ups should provide a script for you to execute with your GTID and get a flag if you do so correctly. De-obfuscate the samples below and execute them to get your flag.

Warm up exercise #1 (5%)

We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.

Can you figure out how to get your flag?

base64 -d <<< IyEgL3Vzci9iaW4vc2gKYTEoKXsKICBlY2hvICJPaCBsb29rLCB0aGlzIGlzIGRlZmluaXRlbHkgYSBmbGFnOiAkKGVjaG8gc3ByaW5nMjAyNl9jaGVldGFoX2V4MDEgfCBzaGEyNTZzdW0pIgogIGV4aXQgMQp9CmEyKCl7CiAgIyBjYWxsIG1lIHdpdGggeW91ciA5LWRpZ2l0IEdUSUQKICBCPSQoZWNobyAtbiAic3ByaW5nMjAyNl9jaGVldGFoX2V4MDFfJDEiIHwgc2hhMjU2c3VtKQogIGVjaG8gIk9wcHMsIEkgZ3Vlc3MgdGhpcyBpcyB0aGUgcmVhbCBmbGFnOiAkQiIKICBleGl0IDAKfQpbIC16ICQxIF0gJiYgYTEKYTIgJDEK | sh

 

Warm up exercise #2 (5%)

Great job on the last one. This one is a little less straightforward though. The attacker left this long string behind. We think that they were trying to pack something in this string by compressing it, but we aren’t sure what.

Can you figure out what is going on here?

Hints:

  • There are ways you can check what kind of file you are looking at
  • Keep peeling the onion
  • Scripting is your friend
UEsDBC4AAAAMAK9zS1ywfC7bmxQAAKgSAAAHAAAAcGF5bG9hZEJaaDkxQVkmU1lX7iGaAAMh/////////////////////////////////////////////+AL/2fZ3317W77vu777647z733n3u7u7r3l33du32+9Y2++53d9933323brfc50++Qp4mU8FP1PRMExTxTw0mJlNNsk09Tyk9qYmBTzIp7RTxR5T2hT1Pap+pqeAIzTEU2KeTJim2k0ninjJopsNRqemTU8aTSb0p+ppqej0m0000I2gNDJPTQNNCh1T9U9T8QjT1J6ntFHpo1PGiMmKafqntCMhPTBMU/SYk9T2gJqfpkEyepPRPNU/KbSYmk2CejVD1HjVPNSPJmhpoyp6bEwgj0GTE00mT0k/JJ5qaZR5TwU2RiepDqn+qn6SN6EaZPUPTUbRlT9U/KNT1G0wTTNKeaKfqhptNpNGyp5MnlHo1T1MybUxBqeYQamyYAQ0epD0p+p6U/VNNtI9T1PVNqbT0pnqGp+qeU9TynlNk9TRo8o8qabajTSDyTaahlU/JJ+1TQJ5R7EIxT9U9pqaTbVPNTUeRtJNpHmmqeJNtSf6Ck8xMqenip7TTQ1M1T/KptJtTelPT0amp6bVNqfkUG0npHkZT9EeowFPKNlM2pmo1NqPRpPxUxqPaET2lHsRM1IOpnqaTEmaabU000w0noZTaTxTynlMxU/U9T1MmyajaTRp6jT0hPTaj0nqan6T1GRP0p6ek9Keaamp6j1NkeKGnqNMQaY1PUPU9SfqeqejCYRk9JpoajzSZqYnqMT1NPRG1AhVTammE1HpqbBE/VMAQBk09J6h6jExPSaaekwm1HlPUepjU09QZGmTT0mjTQaaHojanqM1PKYmEGEzUAeoNNG1NNGaj0m1BtQ9ENHqYR5QyNGjIFNu8aRogAHoAkARcSECJAIA0AGTITQQEAMyMyiFnBQI4QBIvd2kA3FhgDQ6RDRTjIAjSJj6bRs3aXStzAB5kdZ05Jpe6yvh6b2l4pkB3eFqPXh5Vh5WT+N8ttGtdcn9cy58nh2j4NO84DLUqn5zERYvW2R29Oc7IL14/IoDqYYx4WIh73YaKKjroDIH8XOypsV8NPxYdTH2QNFGC6i/s8N6CouNhn7Do2ek9nqNApFxqBZVpDM6/Jzwvh+Gid/DnKklPc9rshiutP3mFABSZd/4wB9jK5W/oKYj6QIk3mo7NNQFxLDDlyBs2bCuilQI6Dgjyk0+M2xwe7CHbUqSpuDO02scwvC4MYX8X4lmM2+SFLu5mtr4YkGR+R9JGnsEuyGSeVy9UGxQGPs7kI8Rc5hXOzB9P2ZPvKrFKW5j4zUMTGFnoqTdMcc79VxzYSRRoa2RmEHTIc7xXMWYc9llrjgPdq9HJuDgAW8X9vpfH0ehw841ejzHk3Kn+sjblFOgvQ6OLNMio/7qjWx821KKOcq3sWJhA8pS+pKbDE7WVq2pUd1xE62UPiJ8uRWHanjJQbb56O0xZ6sQhCSheeqKPOssTqfojatiLEtxdzSLGIkNroYFKSm7sN14bqq3TRvmlMe0zoV7+2ib5h5iOEBvk5WoaIivdHEcYWOYfXayVFF/6lXUjvfes6lAeZT9BZrf8t/XwpC+bDi7rOfQzR7kLNjArDumgAY7L+ZFxWlp9iEvT+Uj2o13VCzuAaJbgIrADnvl7ZeIDzAOeZxXVfEWc8Dl7iWeBtwHwpVktUz+7HItFVB+fLuQSOLMWy9mVZpEeTBoLMlUHjUY2Ni3CCPjeHAqr+3Yf9uwPgTu+BiR3akWtNC8V/DO97VL9zOwlBcX14Paer8KC55FY8E0VSIZIFR2O1tTMm4URU7TdB5iNzkE2YHcL+T+pLLYGRuxd2J6RY6xYFRetT7vDZJacR3gz68YQ2DHGOwnxr0yULMKIZ6aIr+YvINgr8JepEObBoomseJMpoqxknxN6/t6kTXeOosiOugPAe6V9Fsk2ZTxU48S+N1EJchMkRs6Ewlqjs6orXqj96fEk18o/jlldDFCBOwHISOHiMg4gjNW5b2a87qM9gYSltpqubsYqwZ0RRG4vv3SpJJNHq/wshdRnmW3Sw8HI4beGW6f868iELFAEmiHlJFgbwyWD4eTultk1B2Eei2x2IqK+keo5NJ6tJfPoAXos6NVN6ZWPcYGAUGM/jvyeY5ltXD5hutpfZutmXsaTeMgsmwR9vbTQbCqW1AfK/LJf72I31oenv06UPswlGMJ2FiDwN9uWckoElAFS45TWj3DssRZnQcaMolwwZxweEn59NpnQyMaiWGK7AzAb9q5Nazy1QFH793kBLsK3UybOWy3fKrHvllXWfhdgKZVmYN61n0VxTx0mVUnvZSq92TxPTOnDX3kBqOHR6mBy8vd7OGx9Z4ryWkpiqskVs51/LNoORS3HZny/pnQJTDQUC5SME6Y/ChuMKB+4fVvQDA3PRPVTTeBI9Ja4buSHgsOIzRr2CptXon/emhHs1wn65wcTJ8E9i2s3MuHKL4HQMkFJjnnOvQs9JPdmc856WDpx2ZWZ9i5o56rHmCuS6MYeYQt+J/dgyx2s69A2gN1yQGFWMNwWC1muAOnN3ltpMhutWMRta3UN7DP40QfcS3nYztmHMfEXAip/ZCONmshTUiKLOhu8W0xBnULzrReeyTPJY9uKFqoqd2S4A84YithoRkNrq6J4ji7pYvNjNOCO3og5Hn+zRPvYJIfnN/nX4XAMPryoHLNk6DxAPAIK0w1FcxCB0F48NrLO694edQGioffVGNiChTphn8BsfsQq/PhLt+odBlGCHnXttdJmXE98WIrVoEKEGniyh1wLKMMGqwq2L8L7slrqlIzp1uYf8LhexkHp08EOQVVULVtxOKeZP2ziMM6etgjA8s2ZidiKg9der61Tr46chPyFuVPrCmoNU0LY1Vhk0fd0+tDof1meq7CrSUd53BhybodKqrcAcKkt2Q1plh1vU1vPdpb7mOsyzicJByjmsvNfdjlsSk2vIAEzJxrNaAJ5t+MRpcd/+hau7N2obyJnUODgmS7eGgX021niB7akfDYqaNw3GOe75ztPHKw/c5lJIGKdDAaQaVXzuJ6kT3mpocxX9V5RZOHYEGOXBMH9Mc5Im1ECZ/eVwkg2zbkkn6FGw2hfg8xUO72yyeQHoKliMA+n5MhNCja0nAJnCIwop5HmnnBE+eq62wBiYRyRVoG2cE5nLOYrtUXKX4IXO66ceywf51hXvfpPfhiKjj65BkzlmBHxUDnpk45foYHISWg7SZvth8doziWeYOXRwezAdeszeOfn+5Z3FSMaYFBvrfHHh7WfUscd1xQ5jpSHHCfZ3WPG0H9pBQGNOS1qF+JlFlz5Hk3h93J0mMGMABzWeNCOXYSf5E5dGl2XJ4STinf8X6mZqho98m5JSBoZv+t0j0+t5MC/cQuWt/+/epYJtYPqeSnZa6LfvaEjhKmWABsQR31cW0n9ZpwV972ulNW4h/S2XOp/MMarZvH1P7EVd040JJ22C21FHOUeIpVcEfUGpW1Uzi5EVJrsjdmcbSFDQ51ajTGKRqs1C66je0UsLlEVlKPGBDzujBoisvGEqq0mqHj6n07qxdiDC+o45rwx/9s4S9yDhuaz60wP7QRvGyun0Zh5WN19D27NajeOvE+S/NcrbjbCpgI71Wqnykl66hqF02lnZM7LVt2/0J/aWIkliOjG4o4JcZXsgXIcyWNUfldRiAfoTxQvG++VD1dzvNxN/5MAk63/ky5CZESBupiaWLyFYCE9UwH9lGap+mImAeWg9+vTPwxWljJ7rMPpqlbLtYeZD7ZXkjbqvTwiDdDea6pPEAB6NlCcaNM8dVpkSh9xm6uvLqF3VMgI/Xei+RQU3bIX32YaB2Rgwlj+4pKVbcJHb7w7yWSp06iKbWm26/qK0ZL3EVU6DGm7ulXxjl474Dqib7b405QNoVsuKsWcJ2T35uOHwnPgswK+YkjLwT3sucPThVjnPiPX7fZ2oKUUIWMc5x+H232+x9s3xGNtSXFhQUMD/JepLfBn1HS2tt0LnF7V4FzCKr0mL8YOuofluR5Y7jWKz0YrFof7rikhUE1p6aVLsf6uKZOxdUxsxfL2lBbX7goy3l8YN431cKuYqK4gnA1Nz1B+vMrryfXrbXYNpJtUS5UbVZuLQkJVnOwHIV5fPuGX78+lH9Wwn7oL3wug/rHwgW98G6O9zcipCIYTTFcy7lvrMtBn5Iwyopymj0LiAd072mWD/G/ypkPYmiwvgkEXGvJfDvJAaXNpsraRkew/50Jbw8hSp4IDnVerNKyCBUuzYUbqDE2qKHT+zDB5RrP5w+yWWVqFOH6R3Jpq4JkNR1WMRTg8DRt7RizbswSWTbaSlhlwiEfiJky4A8YTuXxzNpJH4srdmzZDQK0ILOVZetCIsps03vaspI1vyN9U09DqvD52lbv8VRHaAjzeBlfRvoIXx1/8humZOd+8hYkJyleczXQcLQjRF2pVJb0U1AHOSTWFVKyBNcvqT8IwpKx+3KiT0Tw09WJQrWsxWMjx1XFYcEoBzhnhOKMBsLnJOWwTLlC6Szc46i30jsf7R3Xgxu31Znp7dZz8Ss1dFrwnjzc82WONC5zrRBg4rKsOhy3zMihCSNUxFtDYbw58RVWVbpHkyLD358FkBNuTMdjbDtAx4EeRXaWLLIm1xtn97aERK5hjutK6vy9VGEXKRa0Y9DTj/yfYTyNcEUYfUqmandKyZqaLSaFC21Cfpw7CVMlpfKLcVYdAa/sudm1BRQDgxbFwY99PNpulCVtfg34Ij8K/M/BByomUvEt+wdI7ua54goUg/a1cbEk63XttCU48xPaw/fKVWp5dKkZe4VgqM0GlchHVujRZTI4luPQJ/FFC2SeXoJDzaW9Tv3266L/qsCK9FQy/F2LCk71AGzCr9CYXx9NMLH4qRa1z12P1gpbHtrz0GeEv3W5TmMpQ0L1PrWQBEQDCl/4dcY1XIXlxqOEysixOUPYEQgDmpj+9CBcn/FuFZRSR1oPL5Y7NkJuLtdwM7s73x8QtGSsnJe9+fFIeexWr0oOJ5Dg02Jea/OCndVBx/1EvcbTb4qw+etYrYVxjpsrGAcywuZy7Af4Kn672axaZ/k9qTXXZKmbLUY06KnAr0UTwEG1jQkYFVt8yA3i0hzOHXzNvNsykujwpnM/3+sdVoclwfbKdtVIqfF5Gy71jqMT6Wkz/C4I3d9QYOCwQu7ny7U1ECRAjM02LHmkPsb2Q7EVMUh4XVpb8JR6qgO9faleNTOEtmY8/f+5rAUB7v5Fea15rev0DWN6wdKu+Po3FNSX8YCed9O2EM9v90uKTVT5Nb9hO02R/Bl7czmDs+mny766wlMBh1DZ0Xk8aEj1LdST1qYS8ZWDfPUODG7pGQdTMaYJ7rA3MlNpj7lf/xSDBXe8yiUG70grC29xfzzLCdrathdgVHYKGg+5GyQLuWGt20xQ0wYWnckAg9iHRHwhqDF0+Vugh0llq0UuTOZQ7rb91x1s19Oap2AHR0JbeOZuf0larUZm+/64e6waRO9KK6DUPOVSzSA5I2FctPk/PE6iduqR15b4GbS5wLn3oZE4y5mC9IChBPMcO0XBlounFBD3jLApFVFVsaee0gd+LFReIY95BMorkA3g7ezkfBqFD1szSFts0iJq/RiRMt5t4Dgq7IlTY18vm+v+0vgB2TqK9vHMWoNznROV0jB3HiJI+Z33gVky0FZU9Vr/V06itZWqGMsOAyfRFYdrVZn4hX6UdxMp3FByHmOKCubDgWG+V7fmEnlg4cN74KA7yUKpnxQxqdoUIyAlLxRmby+vH2VnO1kmlLqSKafRd1fV+3yvNU+lLxRXJEoZeAXRHZULPBlkGHV0NEKSaskqvRrsIUuJkCFWFKHyT9bs/3j7wURj7+Yk9q+DIoIXRpJo5IfXSArO/YT9sfykkEjtBlDmb2zgmqyFc3WX50ljxpqLQdQUVRgh2p6RaIjVoO9NqV37Z4dDsJca0n1VafGhVAnZ9gUU9EeZ7yE72CLqWoyCQee4aPyEPlDrjclYk1dJ4GRmCdKkgdgjfn23Tnz1grltM2fpzgkPkF5bXT+AXBPrFzU6k1qNj7dp71/6JoVjSpZZgXZIksKPQBS56pPNhyhFK0+kn6AaQs8Rucjm7TKkh+NcW8y4N1EelniLxkoJEKacqNaLQw4yyZbI6l3oPXYZg91VAX4icpv4llA8L0IvrlEz6E/Tgp06+zxq43Fl3RGM7A2ZZadqo9wcVhNJRzUAeWE0rx0pqhzKMWcY8ERYk95s7a6/ft5STQS9QruEkmB3ZRPiUq71KYHrWoMOmTam2hWOoMxFrmxh5UcOPBezXxvpNojoA8vv3PfyhKPDwJX1KGB2hwxwZtS/I7J3uRGlCcVuBmalTOUEiF38v/m5udL7rZO0Y9uW7AxCihXZzlHd6nbKPu4dbYqG+MYTfd+LodqI3P4Qm2voTiFv9Xg5J3IEG7gjRXvgtU6sLSgnmyjjD7jWNrzMRwOw9DcG1oVAkNq4iDprD2sGPcA0bK8epmTnay5l63YQqTfmEh6xKyT7O4DTGXXZyBS5pJhUQykk+Sk7+KMxAr1Hi9BrV2m2SfpxeN+Vtq0iMN2QI2c4VlP9dbAc10XQHyYforuxG+buSEufUW42mdj/8vsIJ/FYjlW2x0UreiLuCqZGqRT+ej+bxSJmvs+UjSMdCHGe1fW9I3ELPzw6pSnc0sQMBdNSu+NE8JVD59oK3I0tt5YyFkEtlBdQT3N4SpYnHxcJ2F8Q32msaNFTs7KG4cQBd0FQ7zNZbJnYNIVeCQZnZg3r7eIiMfjjlLw9POUNFmc9GJUDYApeJWlEhEfr9pdD0iE1Ibb0UIXBD/r2UFLJ3rHAHIn1sleCxr+ae4nJ5iD74UtyiZE4ouuKGG2HPeNhA35QnqT0Q/sJHsR3Hn7OD3QXPX0z0E5DZcgKKF/SHG0DwNo7vvEErDYcAxbI5J2gdxinCensRZNYDJEEY7r64jbUwE/9GjhYneeMyxHQtG/9DBjmCo//F3JFOFCQV+4hmhQSwECLgMuAAAADACvc0tcsHwu25sUAACoEgAABwAAAAAAAAAAAAAAtoEAAAAAcGF5bG9hZFBLBQYAAAAAAQABADUAAADAFAAAAAA=


 

Warm up exercise #3 (5%)

One more to go! This long string of text was left in another file on the system. Can you figure out what is going on?

S0VZID0gR2FUZUNoCkVOQyA9IFhPUgpaRUIwU2pZYk5VNDJEQzFITkFsZUJISkFiaHBlUldNTkpBazdSV0VtS0VFeUNTSVBad2t4RnlaS1RVRjBBRHNCTTBGbGJ6NWlKbE44VERoaVowRjNSU0FKS3cxMENDWklNQWdnRFdNUktCUW1SWHBGSXdnekREZElBRFVkSVVsSVp5TnBRV3NOSkFrN1JXNEdaME1uRlRFQktRWm1WWEZlR0FRM0RTb01LUUFMQUR0WWRENXdWR0ZJTzBFbkRTSmFjbGNuRUM1QlRVRjBBQ0FBS0VGMkxTWWFJa0U5Rm1NY0x3UjBBeThKSUZ0MFFRRktUVUYwQURzQk0wRmtiejVpSEVGNUgyTk1ka0VKUldWT1p3QmxieUphWjBWbGJ3PT0=

 

Sample Analysis

These samples are set up to roughly approximate some Command and Control (C2) traffic between the client samples and the server we will run. To perform this analysis, you will start the server container, and then you will execute the client scripts to see what actions they perform.

Much of the dynamic network analysis can be performed with Wireshark, and some additional static analysis work may need to be done to look at the samples and what they are executing.

Additionally, you will need to craft your own requests to send to the C2 server to get your flag. You are welcome to do this using cURL, python, or whatever other HTTP request program you like to use. To get your flag, you will need to send a request to the correct endpoint followed by your GTID. Example provided below:

http://localhost:8085/path/to/endpoint/9999999999

 

Once you analyze the samples and submit a successful request to get your flag, you’ll receive a JSON message that looks something like the following:

{
  "flag": "Now that's a flag: <your flag value will be here>"
}

 

Sample #0 (10%)

This is a simple example to get started and make sure that you have all of your pieces set up correctly to capture the traffic between the client and server.

  1. Start the server
  2. Start Wireshark to listen for network traffic
  3. Run the client-0 sample
  4. Figure out how to get your flag

Sample #1 (10%)

In this sample, the initial client-1 program acts as the first stage of the malware sample. Your goal is as follows:

  1. Execute the client-1 sample
  2. Review the network calls
  3. Identify and analyze the second stage
  4. Figure out how to get your flag

Sample #2 (15%)

In this sample, the client-2 program makes a couple of calls and performs some familiar obfuscation techniques. Perform the following steps:

  1. Execute the client-2 sample
  2. Review the network calls
  3. Identify and analyze the obfuscation technique
  4. Figure out how to get your flag

Submission Details

Submit your flags in GradeScope as a json file named ‘phase2.json’ with the following format:

{
  "warmup1": "replace_the_placeholder_flag",
  "warmup2": "replace_the_placeholder_flag",
  "warmup3": "replace_the_placeholder_flag",
  "client0": "replace_the_placeholder_flag",
  "client1": "replace_the_placeholder_flag",
  "client2": "replace_the_placeholder_flag"
}

 

You can also use the provided template file to build your submission.

  • Malware-iikoqa.zip