Analyze the sample dynamically and monitor the activity the system

Scenario and goal

This is part 1 of the graded exercise. It is worth 50% of your total grade. Every question is worth 5 points, for an exercise total of 50.

Which tools to use is completely up to you. In malware analysis, there is rarely only one “right” path. Be creative! Still, I suggest you look at previous exercises and pick whatever tools you deem appropriate.

For this exercise, it okay to let the sample talk to the outside world. Before you do that, however, it is recommended to simulate internet communication (also see lab exercise “Combined dynamic analysis”) and determine beforehand if it is safe.

4. Perform a basic static analysis of the sample and document your findings. Is it packed? What do the imports and exports tell you? Do you see anything suspicious section- wise? Interesting strings? Remember: MSDN is your friend!

5. Analyze the sample dynamically and monitor the activity on the system. What changes? Is anything dropped, executed or deleted? If you use Regshot, be careful to set the right scan directory (C:)!

files (use hex editor)? 7.It can be assumed that the ransomware first reads the file, change its contents, and then writes the new version to a file. One possible analysis approach can be to “follow” the source (victim) file through the encryption process. A combined approach is most promising: Use Procmon to monitor file accesses while running a debugger to locate the corresponding functionality in the code. Where are the read/write operations located in the code?
Deliverables to be submitted for assessment: Written report with consecutively numbered answers for each task (max. 6000 words) The results of all the analysis tasks in the both parts i.e. Part 1: Basic malware analysis and Part 2: Ransomware disassembly need to be submitted in the report.
How the work will be marked: Each malware sample analysis will be awarded a total of 50 points. The 10 questions each are scored from 0 to 5 points, following a specific marking grid that considers the substance of each written response. Style and presentation are marked as well.

	t mustafa.kaiiali@dmu.ac.uk

CW Part 2 (50 points total)
Points		1	2
	Exercise skipped or content completely incorrect	Only one aspect correctly analyzed and documented with proof.
Q2	Exercise skipped or content completely incorrect		Correct verdict supplied but with little to no proof offered
Q3	Exercise skipped or content completely incorrect					Correct traversal of the code, identification and investigation of exit conditions, likely main function identified with conclusive proof given (e.g. with screenshots).
Q4					Student successfully used Pseudocode plugin to restore the source code, and provided detailed interpretation or analysis. If applied to wrong function: -1 point.	Student successfully used Pseudocode plugin to restore the source code, and provided detailed interpretation and analysis. If applied to wrong function: -1 point.
				Parameters are identified, with proof given (e.g. from the pseudocode). No testing.	Parameters are identified, with proof given through fuzzy testing only, with little proof in the source. Test values were wisely chosen.
		Successfully encrypted a file with the ransom trojan, without much documentation or direction.	Successfully encrypted at least one file and studied in a hex editor. Found the string identifying the file as encrypted with no further interpretation or analysis.
Q7	Exercise skipped or content completely incorrect					Relevant operations successfully located in the code; full documentation of the process in both static and dynamic tools
Q8					Correct crypto algorithm identified with proof given.	Correct crypto algorithm identified with proof given and full explanation provided.
				Partial summary provided with only two aspects answered correctly.	Partial summary provided with only all three aspects answered correctly.
			Unsuccessful decryption, but generally sound process/tools used/suggested	Successful decryption of own file by calculating the key