微信客服:xiaoxionga100
微信客服:ITCS521
COMP6236-无代写-Assignment 1
时间:2023-04-27
COMP6236 University of Southampton
Assignment 1: Malware Analysis
Set: 10/03/2023, Due: 24/03/2023
Your assignment is on Malware Analysis, which is based on the Lectures and Previous labs. The
assignment is an individual assignment and is worth 30% of the module marking. You will be
assessed on your ability to carry out a successful memory forensics investigation and report the
artefacts and malicious activities analysed.
Marks Breakdown
You will be given a malware sample and an infected memory dump and set the task of analysing these.
You are required to submit a forensics investigation report on your findings. To help you with constructing
your report, Task-1 guides you to cover the main points that should be included in the report. Once you
have completed the task you need to submit one report that contains the results of your investigation in
PDF format.
30 Mark For all tasks. Which is broken down into:
3 Mark: For clarity of your description.
27 Mark: For Task-1 question (breakdown below)
Submission Instructions
Please Submit your solution a report to this link https://handin.ecs.soton.ac.uk.
Deadline
The assignment deadline is on 24/3/2023
Experimental Setup
We will use the same setup of Lab-2 to work with Volatility and Analyse the memory samples below.
You can use any instance of the Lab 2 VM you already have or you can create a new one. To create
a new one pick or create a folder. Then on a university computer right-click the folder and select "DOS
shell" and then "Vagrant". If you are using your own computer then right-click and select terminal. Once
you have a command prompt you can:
C: git clone https://git.soton.ac.uk/rht1g21/Lab2.git
1
COMP6236 University of Southampton
1 Task-1
You’ve been given a malware sample and an infected memory dump. The malware is allegedly part of a
high-scale APT attack. The antivirus industry is calling it “jackal,” but detailed information is currently
scarce. You searched Twitter and found someone saying “jackal’s c2 list is just base64 and xor” but he
didn’t provide any hashes so you’re not even sure if he’s talking about the same executable.
wget https://git.soton.ac.uk/rht1g21/jackall2/-/raw/main/jackal.exe.zip
unzip jackal.exe.zip
jackal.exe password: infected
wget https://git.soton.ac.uk/rht1g21/jackall2/-/raw/main/Vmem/jackal.vmem.7z
sudo apt-get install p7zip-full
7za e jackal.vmem.7z
• What is the relevant profile to be used to analyse the provided memory image? (1 Mark)
• Obtain an unpacked sample of the malware. Specifically, use procdump with and without the –
memory option. Are the two output files the same? Why or why not? (4 Mark)
• Analyse strings in the unpacked files. Make sure to use the -a flag to search the entire file and also
check Unicode strings with -el.
strings -a FILENAME
strings -a -el FILENAME (3 Mark)
• Based on the strings you see, describe the types of changes this malware may make to the running
system’s registry. Specifically, what key would you look for as an indicator of compromise? (1 Mark)
• Was the malware actively accessing the key at the time of the memory dump? Note: you can
specifically check for this using the handles plugin and filtering for open registry keys: (Use volatility
-f handles -p PID –object-type=Key) (3 Marks)
• Specifically, what values or data the malware add to the registry key? Is it possible using only the
memory dump to find out? To query a cached registry key, use the printkey plugin like this: "volatility
-f printkey -K "Software\Microsoft\The\Key\To\Find" (3 Marks)
• Are there any specific network artefacts that you would configure an Intrusion Detection System to
look for? (2 Marks)
• What’s the name of the mutex this malware uses? (3 Marks)
• List as many IPs/hostnames used by the malware. Is the guy right about it using base64 and xor?
(3 Marks)
• Can you detect network activity from the malware and if so which network protocol is it using, on
which local port and what is it doing (what is the state)? (4 Marks)
Assignment 1: Malware Analysis
Set: 10/03/2023, Due: 24/03/2023
Your assignment is on Malware Analysis, which is based on the Lectures and Previous labs. The
assignment is an individual assignment and is worth 30% of the module marking. You will be
assessed on your ability to carry out a successful memory forensics investigation and report the
artefacts and malicious activities analysed.
Marks Breakdown
You will be given a malware sample and an infected memory dump and set the task of analysing these.
You are required to submit a forensics investigation report on your findings. To help you with constructing
your report, Task-1 guides you to cover the main points that should be included in the report. Once you
have completed the task you need to submit one report that contains the results of your investigation in
PDF format.
30 Mark For all tasks. Which is broken down into:
3 Mark: For clarity of your description.
27 Mark: For Task-1 question (breakdown below)
Submission Instructions
Please Submit your solution a report to this link https://handin.ecs.soton.ac.uk.
Deadline
The assignment deadline is on 24/3/2023
Experimental Setup
We will use the same setup of Lab-2 to work with Volatility and Analyse the memory samples below.
You can use any instance of the Lab 2 VM you already have or you can create a new one. To create
a new one pick or create a folder. Then on a university computer right-click the folder and select "DOS
shell" and then "Vagrant". If you are using your own computer then right-click and select terminal. Once
you have a command prompt you can:
C: git clone https://git.soton.ac.uk/rht1g21/Lab2.git
1
COMP6236 University of Southampton
1 Task-1
You’ve been given a malware sample and an infected memory dump. The malware is allegedly part of a
high-scale APT attack. The antivirus industry is calling it “jackal,” but detailed information is currently
scarce. You searched Twitter and found someone saying “jackal’s c2 list is just base64 and xor” but he
didn’t provide any hashes so you’re not even sure if he’s talking about the same executable.
wget https://git.soton.ac.uk/rht1g21/jackall2/-/raw/main/jackal.exe.zip
unzip jackal.exe.zip
jackal.exe password: infected
wget https://git.soton.ac.uk/rht1g21/jackall2/-/raw/main/Vmem/jackal.vmem.7z
sudo apt-get install p7zip-full
7za e jackal.vmem.7z
• What is the relevant profile to be used to analyse the provided memory image? (1 Mark)
• Obtain an unpacked sample of the malware. Specifically, use procdump with and without the –
memory option. Are the two output files the same? Why or why not? (4 Mark)
• Analyse strings in the unpacked files. Make sure to use the -a flag to search the entire file and also
check Unicode strings with -el.
strings -a FILENAME
strings -a -el FILENAME (3 Mark)
• Based on the strings you see, describe the types of changes this malware may make to the running
system’s registry. Specifically, what key would you look for as an indicator of compromise? (1 Mark)
• Was the malware actively accessing the key at the time of the memory dump? Note: you can
specifically check for this using the handles plugin and filtering for open registry keys: (Use volatility
-f
• Specifically, what values or data the malware add to the registry key? Is it possible using only the
memory dump to find out? To query a cached registry key, use the printkey plugin like this: "volatility
-f
• Are there any specific network artefacts that you would configure an Intrusion Detection System to
look for? (2 Marks)
• What’s the name of the mutex this malware uses? (3 Marks)
• List as many IPs/hostnames used by the malware. Is the guy right about it using base64 and xor?
(3 Marks)
• Can you detect network activity from the malware and if so which network protocol is it using, on
which local port and what is it doing (what is the state)? (4 Marks)
