Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit


COMP4101  LAB  EXERCISE  #2

Weighting: 0.5

Introduction

In this COMP4101 assessed lab exercise, you are going to perform some basic static and dynamic analysis of two programs contained in the file Lab02.zip (this file is encrypted with the password: infected). You should try and perform simple static and dynamics analysis of these files in to work out what they potentially might do.

You should attempt to look at each file in turn and see if you can determine what they might do. You could start by using the same tools we looked at previously to perform some static analysis. You may well need to look up some of the functions used. in the MSDN documentation (googling for the function name is usually sufficient to find the relevant entry). Then you should perform some simple dynamic analysis by running the programs while using tools such as Process Monitor or

RegShot to monitor what the program does.1

This lab is part of the continuous assessment for the module, and so you will need to answer the questions below and submit your answers via Moodle after you have completed your analysis. The programs provided will leave various files and values in your VM that you should aim to find that and include details of in your answers to the questions below. Performing the basic static and dynamic analysis we’ve considered so far should reveal enough clues to find the various things.

Questions

You should submit a short report (no more than two sides of A4) answering the following questions (assessment criteria overleaf):

1.   From your static analysis of the programs, is there a relationship between Lab02-01.exe and Lab02-02.dll?    [2 marks]

2.   Looking at the Windows API functions used by the two files, what kind of malware do you think this might be?        [2 marks]

3.   Looking at Lab02-01.exe:

i)   What happens when Lab02-01.exe is run?                                                         [2 marks]

ii)   What artefacts (registry entries, files etc.) are created when Lab02-01.exe is run? [2 marks]

iii)  Does Lab02-01.exe have more than one mode of operation? If so, give details of the  different modes of operation, and what happens in each of modes.                 [6 marks]


4.  This malware generates a file on the computer system.

i)   Where is that file stored?                        [4 marks]

ii)   How does the malware keep track of where that file is located?         [2 marks]

iii)  What does the file contain?      [4 marks]

iv)  Which process (running program) on the computer system actually creates the file? [2 marks]

5.   How is Lab02-02.dll used?                                       [4 marks]

6.  Will this malware continue running if Windows restarted? If so, how does the malware ensure that it continues to run?          [4 marks]

Assessment Criteria

The questions above will be awarded marks as per the mark scheme listed above, giving a total of 34, which will then be scaled to a final mark out of ten that will be used for the continuous assessment. Intelligent deductions from the data will still obtain marks even if they lead you to the wrong conclusions, so you should  make sure you  include the data you are  using as well as describing your reasoning in your answers.