COMP6236
Assignment 2: Malware Analysis
Set: 15/03/2024 , Due: 22/04/2024
Your assignment is on Malware Analysis, which is based on the Lectures and Previous labs. The assignment is an individual assignment and is worth 30% of the module marking. You will be assessed on your ability to carry out a successful memory forensics investigation and report the artefacts and malicious activities analysed.
Marks Breakdown
You will be given a malware sample and an infected memory dump and set the task of analysing these. You are required to submit a forensics investigation report on your findings. To help y ou w ith constructing your report, Task-1 guides you to cover the main points that should be included in the report. Once you have completed the task you need to submit one report that contains the results of your investigation in PDF format.
30 Mark For all tasks. Which is broken down into:
3 Mark: For clarity of your description.
27 Mark: For Task-1 question (breakdown below)
Submission Instructions
Please Submit your solution a report to this link https://handin.ecs.soton.ac.uk.
Deadline
The assignment deadline is on 22/04/2024
Experimental Setup
We will use the same setup of Lab-2 to work with Volatility and Analyse the memory samples below.
You can use any instance of the Lab 2 VM you already have or you can create a new one. To create
a new one pick or create a folder. Then on a university computer right-click the folder and select "DOS shell" and then "Vagrant". If you are using your own computer then right-click and select terminal. Once you have a command prompt you can:
|
C: git clone https://git.soton.ac.uk/rht1g21/Lab2.git
|
1 Task-1
You’ve been given a malware sample and an infected memory dump. The malware is allegedly part of a high-scale APT attack. The antivirus industry is calling it “jackal,” but detailed information is currently scarce. You searched Twitter and found someone saying “jackal’s c2 list is just base64 and xor” but he didn’t provide any hashes so you’re not even sure if he’s talking about the same executable.
|
wget https://git.soton.ac.uk/rht1g21/jackall2/-/raw/main/jackal.exe.zip unzip jackal.exe.zip
jackal.exe password: infected
wget https://git.soton.ac.uk/rht1g21/jackall2/-/raw/main/Vmem/jackal.vmem.7z sudo apt-get install p7zip-full
7za e jackal.vmem.7z
|
. What is the relevant profile to be used to analyse the provided memory image? (1 Mark)
. Obtain an unpacked sample of the malware. Specifically, use procdump with and without the – memory option. Are the two output files the same? Why or why not? (4 Mark)
. Analyse strings in the unpacked files. Make sure to use the -a flag to search the entire file and also check Unicode strings with -el.
strings -a FILENAME
strings -a -el FILENAME (3 Mark)
. Based on the strings you see, describe the types of changes this malware may make to the running system’s registry. Specifically, what key would you look for as an indicator of compromise? (1 Mark)
. Was the malware actively accessing the key at the time of the memory dump? Note: you can specifically check for this using the handles plugin and filtering for open registry keys: (Use volatility -f handles -p PID –object-type=Key) (3 Marks)
. Specifically, what values or data the malware add to the registry key? Is it possible using only the memory dump to find out? To query a cached registry key, use the printkey plugin like this: "volatility -f printkey -K "Software\Microsoft\The\Key\To\Find" (3 Marks)
. Are there any specific network artefacts that you would configure an Intrusion Detection System to look for? (2 Marks)
. What’s the name of the mutex this malware uses? (3 Marks)
. List as many IPs/hostnames used by the malware. Is the guy right about it using base64 and xor? (3 Marks)
. Can you detect network activity from the malware and if so which network protocol is it using, on which local port and what is it doing (what is the state)? (4 Marks)