![[SOLVED] Cs6035 malware analysis phase i & ii fall2025](https://assignmentchef.com/wp-content/uploads/2022/08/downloadzip.jpg)
The assignment documentation and instructions are at the following link:Links to an external site.
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Links to an external site.
You will be using the same VM you have been using from the earlier projects. If you need to download it again:
VM Username: malware
VM Password: MachuPicchu_1450
Download the VM early in case you run into slow downloads.
VM Links to an external site.You need to complete one module for Phase I (50 points in total):
The module for Phase I contains twenty multiple choice questions, with five choices (malware 1 through malware 5) per question. For each question, mark which of the malware samples exhibit the specified behavior. Each question is worth 2.5 points total (0.5 per malware).
The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). You will have 5 attempts to submit your answers. If you attempt to make more submissions than the limit, your grade will be a ZERO for this Phase. You will be able to choose your best submission of the 5 manually in Gradescope, but this MUST be done BEFORE the project deadline. No late submissions or requests to update the submission will be accepted after the project deadline.
Malware Analysis Phase II
The assignment documentation and instructions are at the following link:Links to an external site.
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Links to an external site.
You will be using the same VM you used to complete Phase I. Make sure to follow the instructions provided to prepare the VM.
Static and Dynamic Malware Analysis: 50 points
You do not submit anything to this Canvas assignment, instead go over to Gradescope to submit your JSON file.
Malware Analysis
Project Goals
Additional Information:
Accessing Project Resources
Setup Instructions (0 points)
⚠️ The file size is over 9 GB. Download it early—do not wait until the last minute!
Table of contents
Frequently Asked Questions (FAQ)
General Questions
Q: What permissions do I have for the VM?
A: The malware user does not have administrative or sudo access to install or modify system packages. However, you can run pre-installed programs like Chrome, Wireshark, p7zip, py7zr, and tcpdump. Limited sudo permission provided for some tools like Wireshark and tcpdump.
Q: How do I submit my answers for the Malware Analysis Project?
A: The project has two phases. Submit your answers in Gradescope as follows:
Phase 1
Q: What does it mean to “drop” a file?
A: “Drop” means to create (or attempt to create) a file. It does not mean to delete a file. We’re only concerned with files that are created or moved into specific directories by malware.
Q: How do I understand the Joe Sandbox reports?
A: Start with the Behavior section. It outlines the processes and highlights potentially malicious system calls. Research each behavior to determine what the malware is attempting to do.
Q: Does the presence of an API call mean a behavior was attempted?
A: Sometimes. If the API call is very generic, you may need context or multiple related calls to confirm a specific behavior. Think of it like reading a sentence—not just looking at individual words.
Q: Does “attempt” mean the action has to succeed?
A: No. Failed attempts still count as valid if the malware clearly initiated the action.
Q: The autograder failed to start or timed out. What should I do?
A: Contact the course staff and request a re-run of the autograder.
Q: Gradescope rejected my submission for being incomplete. What’s the issue?
A: You must provide answers for all five malware samples (20 behaviors each). Incomplete submissions will be rejected.
Q: How should I format my JSON file?
A: Follow the provided template exactly. Label behaviors as behavior01, behavior02, etc. Do not include comments or trailing commas.
Q: How do I know if a behavior is true for a sample?
A: Review the Behaviors and Signatures sections of the JoeSandbox report. If there’s evidence the action was attempted or executed, mark it as true. Otherwise, mark it false.
Q: If a file is moved into a directory, does that count as “dropped”?
A: Yes. Whether the file is created or moved, if malware causes it to appear in a target directory, it counts as dropped.
Q: My JSON validates online but fails the autograder. Why?
A: Double-check that:
Q: What’s the difference between malware disabling security tools and tricking the user to do it?
A: If the malware directly disables the tools, that counts. If it tricks the user into doing so, that falls under social engineering. Check for context in the report.
Q: What if the file has a high reputation but exhibits suspicious behavior?
A: Reputation scores can be misleading. Focus on observed behaviors, not reputation.
Phase 2
Q: I submitted flags, but they’re marked incorrect. I used my GTID—what gives?
A: Make sure your GTID is exactly 9 digits and entered without angle brackets (< >).
Q: Is CyberChef enough, or do I need other tools?
A: CyberChef is great for decoding tasks. For file extraction, use command-line tools or dedicated GUI apps. You can also export raw files from CyberChef.
Q: I keep seeing ‘Incorrect Phrase or Broken Encoding’ in CyberChef. Why?
A: Many samples require multiple levels of encoding/decoding. If CyberChef fails, consider using a Python script to automate the steps.
Q: Wireshark shows no useful traffic. What should I check?
A: Ensure you’re capturing on the loopback interface. Then follow the TCP stream for interesting payloads or URLs.
Q: curl gives a 404 error. What’s wrong?
A: Double-check the endpoint and GTID format. Avoid using angle brackets unless explicitly instructed.
Q: I keep getting the same file type when decompressing. Is that expected?
A: Yes. This is often intentional to simulate onion-layered obfuscation. Keep peeling. A script can speed up this process.
Q: I get “No Flag here. Incorrect Phrase.” What should I do?
A: Recheck your phrase and encoding steps. Even minor formatting issues can invalidate your request.
Extra Credit (TBD points):
Analyze your malware samples (TBD points)
You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. Therefore, you should initially assume that each malware sample listed below exhibits every behavior. It is your job to determine whether that assumption is actually true.
Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. Of course, this approach is not entirely practical, as legitimate applications may perform the same actions in a benign manner. We are not concerned with differentiating the two in this assignment, but it is some food for thought.
Clarification of ‘attempted’: We define “attempted” as a specific action that was clearly initiated but failed. By “specific” we mean that it is clear which action is being attempted. For instance, if a registry key is unambiguous (e.g., it is used only to set a startup option) but fails to change, that is considered an attempt. However, if a more generic registry key is involved—one that governs multiple settings—it would not count as an attempt, since the specific action is unclear.
You will encounter that the same API functions can end with either a W or an A. This is standard practice in the Windows API. This document explains the difference (either one could be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-the-windows-api
For each of the following questions, mark (true / false) whether the malware exhibits the identified behavior:
DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.
Download the ec submission template or use the JSON format below for your answers:
{
“sample1”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample2”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample3”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
}
}
The submitted answers should be in the following format (example only):
{
“sample1”: {
“behavior01”: true,
“behavior02”: false,
“behavior03”: true,
“behavior04”: true
// …
}
}
The name of the submission file does not matter, as long as it is in JSON format (e.g., submission.json). Incorrectly formatted JSON files or typos will count as one of your submission attempts.
We have provided a validation script named json_validator.py that will check your file for proper formatting. To run the validator, use:
python json_validator.py /path/to/solution.json
Run this from the command line in the /home/malware directory. The validator will either return JSON file correctly formatted. or will list errors.
Note: Using the validation script is not required, but it is highly recommended to prevent submission errors. This script works only for Phase 1 and the Extra Credit portion of the project.
You will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and still count as a submission. If you exceed the 5-attempt limit, any additional submissions will receive a grade of zero. You must complete all 60 behaviors (3 samples × 20 behaviors) using true or false (lowercase, unquoted). Incomplete submissions will also count as a failed attempt.
You must manually select your best submission on Gradescope before the project deadline. No late submissions or resubmission requests will be accepted after the deadline. Please submit your JSON file to the Gradescope assignment: Project Malware Analysis – Extra Credit
Phase 1 (50 points):
Analyze your malware samples (50 points)
You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. Therefore, you should initially assume that each malware sample listed below exhibits every behavior. It is your job to determine whether that assumption is actually true.
Hint: Look at the API/system call sequence under each process generated by the malware sample and determine what the malware is doing. Note that each JoeSandbox report may contain multiple processes with many different system call sequences. If any of the behaviors are seen (or attempted, but not necessarily successful) in any process in the report, then that malware has attempted that behavior. Of course, this approach is not entirely practical, as legitimate applications may perform the same actions in a benign manner. We are not concerned with differentiating the two in this assignment, but it is some food for thought.
Clarification of ‘attempted’: We define “attempted” as a specific action that was clearly initiated but failed. By “specific” we mean that it is clear which action is being attempted. For instance, if a registry key is unambiguous (e.g., it is used only to set a startup option) but fails to change, that is considered an attempt. However, if a more generic registry key is involved—one that governs multiple settings—it would not count as an attempt, since the specific action is unclear.
You will encounter that the same API functions can end with either a W or an A. This is standard practice in the Windows API. This document explains the difference (either one could be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-the-windows-api
For each of the following questions, mark (true / false) whether the malware exhibits the identified behavior:
DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.
Download the submission template or use the JSON format below for your answers:
{
“sample1”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample2”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample3”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample4”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample5”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
}
}
The submitted answers should be in the following format (example only):
{
“sample1”: {
“behavior01”: true,
“behavior02”: false,
“behavior03”: true,
“behavior04”: true
// …
}
}
The name of the submission file does not matter, as long as it is in JSON format (e.g., submission.json). Incorrectly formatted JSON files or typos will count as one of your submission attempts.
We have provided a validation script named json_validator.py that will check your file for proper formatting. To run the validator, use:
python json_validator.py /path/to/solution.json
Run this from the command line in the /home/malware directory. The validator will either return JSON file correctly formatted. or will list errors.
Note: Using the validation script is not required, but it is highly recommended to prevent submission errors. This script works only for Phase 1 and the Extra Credit portion of the project.
You will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and still count as a submission. If you exceed the 5-attempt limit, any additional submissions will receive a grade of zero. You must complete all 100 behaviors (5 samples × 20 behaviors) using true or false (lowercase, unquoted). Incomplete submissions will also count as a failed attempt.
You must manually select your best submission on Gradescope before the project deadline. No late submissions or resubmission requests will be accepted after the deadline. Please submit your JSON file to the Gradescope assignment: Project Malware Analysis – Phase I
Phase 2 (50 points)
Overview
For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.
To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.
NOTE:
When handling actual malware, additional due diligence is needed to ensure that you don’t accidentally infect your own machine or other machines on your network. The overall process for setting this environment up is outside the scope of this project, but you can find many helpful resources online along with CS6747: “Advanced Malware Analysis” if you wish to continue studies on your own. There are no malicious malware samples in the VM.
Warm Up
To get started we will work through a number of simple scripts to understand some basics about de-obfuscation that will be helpful in later exercises. Malware authors will often obfuscate their payloads through various means to attempt to bypass IPS and AV systems, as well as to increase the effort required by analysts to contain and remediate a breach. Understanding some of these techniques will be important when we go to analyze some of the other samples in this project.
These are some basic concepts of static analysis and are often used by malware authors and red team (penetration testers) operators in their work. All of these warm ups should provide a script for you to execute with your GTID and get a flag if you do so correctly. De-obfuscate the samples below and execute them to get your flag.
Warm up exercise #1 (5%)
We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.
Can you figure out how to get your flag?
base64 -d <<< base64 -d <<< IyEgL3Vzci9iaW4vc2gKYTEoKXsKICBlY2hvICJPaCBsb29rLCB0aGlzIGlzIGRlZmluaXRlbHkgYSBmbGFnOiAkKGVjaG8gZmFsbDIwMjVfY2hlZXRhaF9leDAxIHwgc2hhMjU2c3VtKSIKICBleGl0IDEKfQphMigpewogICMgY2FsbCBtZSB3aXRoIHlvdXIgOS1kaWdpdCBHVElECiAgQj0kKGVjaG8gLW4gImZhbGwyMDI1X2NoZWV0YWhfZXgwMV8kMSIgfCBzaGEyNTZzdW0pCiAgZWNobyAiT3BwcywgSSBndWVzcyB0aGlzIGlzIHRoZSByZWFsIGZsYWc6ICRCIgogIGV4aXQgMAp9ClsgLXogJDEgXSAmJiBhMQphMiAkMQo= | sh
Warm up exercise #2 (5%)
Great job on the last one. This one is a little less straightforward though. The attacker left this long string behind. We think that they were trying to pack something in this string by compressing it, but we aren’t sure what.
Can you figure out what is going on here?
Hints:
N3q8ryccAARv521LFhMAAAAAAAAVAAAAAAAAAPL8cSPgJ/8SsV0AFwvcBIBQMibuHX0b8/LLM+zs+Dfw6tZ63WnTG1YfdW6y3lp0Vy+qxzAywlu5cIlfHwVFgpQS5NOg9CMypWNl73H5BkXQgucVETtXxsd7e0ywCAiMchWO9FyJp/RSoMtgXz3FNBRijUtj1TCOwyQjxDHcT3us8Vtm2UmhQyJmQi2rzAN9BdbaeUdL1S3D/Ou2vuY9QKJE/CrjUWTQ6lwSlmW6CNqj07RO4Lh33BFjnvKpe82517MFFjZ0YpTB7BRL1dcsggevkV7iwe2Faw9fCmNcZ/v+OfphgST+qf+9qCUh5f4MnQR0zB2tO2BfqeY3O0PhsnRBsbGnbT3QXtcMWouwglrP40Wu/Gghtqs24e+i8ZwGMfdUFaq+UCu7sWKihDaKqKaHGMd8yEdhal0jXJB6ivtgjSteVZGEDmVIDCvnwBK4pVr1LdWrgPCqNgwpb/gC5JTjscV6y00Mwpz9MK6Awsv6aoF3gDb0/WxkoC/4DC9+2cbspnr+0xS422cjxAo8k0DswkxyMblhHCZ5v/h/RTZni9CciCq8ABCq9Hr3mqsQWzJ0l52Ux97nJrkGZDgSoMTJ0sciKd1KRX8YfCRltP/Cj6C0Tb/d7N5GMhsFR5Rov6fppEKGutTCJ1PeOF7LsD6ynTuTHTF4xqpoXUYimOR35xmg5Anm+ogJQ9LkzOTAYwNJiJv5Z7firWqmiSi7F4DP54hQ7xVi+vmAGpCC9mjeutLoOWTSPPgaPkQ5gVmGN15MhfuJtj98ehEMTuVpcnzY57F/lQvEYCH6j48cWskm4HLCH8g0VnlFRtmQjyGyZkouzrxtZVp9YoqybSUDJEAI4YzU/sJ0WxTEK7cPllWUis6Rk0TpL5cfT0vj/9VuxBlydMm1O8U/opB0S9CeeL7EZ6XDQeqINcxksFWGAdKtK+HaGkliBwIX9u7l5OuhmpDLEmyLHlHhmdhU05rlQXrntY3069BTnot6JNRW8+NM9SWp0MflGtiKe1RGBN8IgYCp6XMYQUWREa3WL2r5b0ABvyAecPa+B5Zdk26EInYtf4nzg8xUQbaMGm/ZmzfpPMeIoKmuZS39E98oN8xXGCHgd3UigwmJ4MibGw0EfAHhoGJMqCulMUFMTUIzC7+TQ1yBrLfj+eQheso9mgt0np63iB8xVd5Vhc3YJGE5sSvF4ogI9bfRWfdNksaMMpj9fOOUTfQ79jGdv6DJAKOfI775ZagIVQ6/XdQf+v3NJtTxfZVxly/lmtcNLsJyPcq2q2fU3MEf8bv4trg08Gs8/IfY6U0+dkLxvSKljfs+XSxb9e+7K5/fWqySv5eYhpIopP6iylDw4rpEVWtLoxrvP1BiXQvF8jdtQbLjXQDdaJHLqG6vYxbVmrNxcMK9C5GHkuqcKmr/V/KrNQpQbSFLOnBjmOt/GzhOFkDdX4XkYnShMrqu2GI9isIGOETIUrQVc3Fg3tPUKh7O5vjSmIgdAoZh9gcZEOpC1IKxDj3hql43V9t/RZTgg7kmI8I9/IKoj3gJse741cW2TkmGeDrPEci60v6dQUqmReAdLrGrTuIe3NPZiVAs6A58pGJ6du31SySqmAg3yZF84nmgt1THjR5h4SnoA5WxgH2f9RzYu8wlwQuR6VldbVejnuygoo6h13T+XMscvn7pKyVg9UsL/7H7PF5/PMe9PRxeTqyPN0bGMMNRPOFlXQPPgRLCQFf4G8y9Uc6hY9VbdZOdu0pQQnVhTEXwsFoPVmBQqp+a5fTTjG242Hxq84IiiVEgXrYf1Fk1Z23y21KHljmW5soeZZ+2hK9gYJlf6Zy9xoc17HO1HlFXJEzlXMm+MqYVfWzj83RRSgBrpuFkRRQTMN8sYwceZOKwXlyljhVQ41ITtO5Ics9n1OBSYrLh3y7c7EmAJy4isokTlv4RCSP33sLdPIQD7MuhRESJHdEipaEl+rq9Zfgdym/evdiWCvECDO9q6/B6VkrvfM/mlejewlPVJOIPX6QFBkVLqFP5zHxeVDAnq1/EhNJgy9JCz2kSoo3+fEKQV6NMgF2Lc32Xt8ARrB8WZVnhNVtaCed3UZiRN4CdfE5JfX9Bzjq9uaM938KuTpfc0dhpOnKdyUMhZG2hOt+4mo/lI5Zqgrv8sGJBKwWJ50/OXkZk6jgikyz2hjKzSigMcPCBdbHheppIDbHF3BYcxW8l5gcYTw89fIGMHcApi68D6jUDKhPLdq5s+ES2wirnnjMZUcnOb6rpZxc1JSLgvTNWPVJbiO4iduFNFZO7Gg/tp1y10pbDY5eK8RR9LzfJ7AXGC4WWExRsliFgRun64nQ8g7qz7tH4cjzO0Bqgm+yh5Z/f8j53OkB7p9qpAj3ubE76xKjYRjifksIRRStnqULu9V4pFk4UmOarE3Zy1dTBNDCc6JRvyVizXTT5qc4YdSO8dyOHTQxk8o7RsiAJONhyCoNJwYCYtkdkfuL/GZTjkT0gPZR/QDWQgbkdBt5PB/Pd8BwtfvydREpwFgfCNTsJ9teN1Mxwln+feTtKjkGk8juFdu937/NBSi34xnI1hUtzFHKzmUUV0sPV2QPRUfH0iyEqe+xgAik2PDyI3F3JKu/Ck9HRLxEQ260tCg1QpQK3rIsmmtO+KeuWQzvK/k1e+Zv4+twyu5EbK/Ig72n8sKPF+xL9YCTXRdjz3pJGE0Bzkbd7/bO15nf707AgFRMBRnSQjgEE1Zp56p/qYsU++CP4yJxQfKmjAe5sryjccsGILuPlrAhpwJISFRsPhkjRiVSOJ2gLjw/nV23EoEyRZTTaLXA6cwYGs5e9scNZrERM/Az9ZyJie1RgxbBMgOYkxJTcvB+YRjAO+TuLo5wMSYuUX38wApc/XTlzz9moSZovn3eUVuWEa5FD2Fja5tvLKiKUTCquQ4hQ6xbpYEqOMqpPRd7kBFCdEv7jXBs9WBScyHif60GAcWfYzxcCwUUkYK9emMa8dETnKmpmaMHKOd1XclMNYE1pwOksqCSETgVk4aZZ7+vsRtCqAi0U+De6P4DRbm0mg4Yaw0GDTYZwmh/+HvozUODTn8MOGid/B0rBjJuBXaSzD8IIkrqQNGhb5yboNasxER4vtmR4G1PbI/einGh5pklFkSU3HxqbtYlmqvZpAxpeu+zQ9qQHBF4YpbckZhagox3+vk7yQ+JZlN0GxHYBP+PnkZZak3+3dT+zjros9lT0uqlySC2esU1JXbNiN+u4QINhE1CrNjGhh3PSbmCzmhiHg63leUYuCDNYcUn0z2yZigAwUOfkj4U9oKcp8FBlSpCCa1o+TKrYX1NKN8mFiIMTLjHAsKO1B6SPf0RCWtCtNpfUBKBAPkPGMevyVwMM5Ey5gvimIu3yjTYgY3OMk3zIGum3cyYUBNIk+P4uG8kKLz2+zD+8MW5pvamI6og2sx4Z6F7GDEeERwMtc9LbLrsiejfkH/r02A80gGyqiZRFCnzSnubVw8uVk7BW0Xk/yOHxwDqvx8/qdoH7HojocG0DzpU4idUlItqth4PSk++OkVm4vBay7pfxqrntFPCWU8dN8y1fDXZpfiCFlbXq7wMpA1bUGTgISzdvx93qftmP/JVL4NEccPddrHBwpn3LRibed1tMHuuWQDQh8FdFw+Ku/L9gZudLs398amXQBMtBl9I9If2GfFoluQxhrwPu+ZHL0e/+aOnx2mWjnbWYR7p6UhMFuxveAPnMYO8kyN5dznXaPFmSZQQHDfvedyQibTy/mjBGgYe63UmhKQ5IO+AOuryqFbUJ9GHjKJPmJxMOiTRQ8p0E3lAVQ3GrY0+uXZJ9DPx/nnm65wiAXL3IyLAjXA3JvakyODs3HVOwIJVGGm62SQx24Qm1iQ4YQ/qu0Wfezf/daWhoIy9TFoZhOJ/SsrzRlCHsSqh1yjPTj3rvb/jqxtiWUyFx8Km8AdRDWfoVZbsxmOoioXKydWkvEZN+Hr9R13Bn2qcufcLoS6xZyLfcjbO5KpNfMbVylIBhcisYqdFLR+1aT7+HKrJGegnc6h+Si6ueSOe9WR9/13Z3DRUtUZFleG7piKicPb1P6/MloQ0sVWhQlm1kHw2D9+gV2ze5yzh8seiD/jdP7RBdqqUPyuXNcT9uHgEDSc4836O0yIqzHS4PSaWs368PBzzTUsui7cpd6EmnHHzj/u8yAF6rezZ2is74QasO8TMA9boKY9OamiwN4I9Zf3mUjxDHaKrWjnF5qQccJWNRYxR766dFnbUMkJTvDLKZHxZSuYToEQhFX8UVl4pCxFDvV+LtwEijaaBWVbg6nPsoMRaolkYHIr/tYC8DX00VcMfNTTicIQ8TkV1v3xT1myejJF6I4i2RrwXeUq87EGWTyRNvCgomYsDnxS/8jsymhw6DQQRa5jQ8vrto8gUv8Bvk6+gWtAbNIpBJPWkoBLlIRNw4CT5cAY2YUUjOi8At9gcdqHtZb3Y3w9SjHR0TG2v5BRFMKS9E9lwd0PNnh9qahL+UOq3q14aoROJyIusMzk1zJosq2YI/yeEncvS27UmYSdedHUazMRolsw9QhzQ58PDiT/qMxZKDWO4jQ/AGZ7TCyKIdx0sNtRWU1MPX2xrn07WEEdgxPfW3g6AlitJ/oum/znCf/52OWKetP662n5e8BrnkGXrIpJNcl4LY8r7/8yUrZwqtW35nraUCPhROaOdwF1b+zVjO7wEVX4cPMXPu1GcC5tm7EHOPK1O/NIM/G/1Ym15bQHvj8rG7mJ0hE+QDTkJpIa0siIlbwSmvqIKfHr0Yx+TuqKD9GS6sls7kKF9OCqhc08elMNYaHEulipUIm4kumhUpU33DDGiOweMKZ6OfhrP2Aesxvn8Odqptsam8Vh4y3NYnYbu9iGZJifWrcrcj9NvT+GR027+c10FGiElZwb6Rmy239UbDAOuF3U8womHjgcYKgpk8IzfPJUvj/E2zoNaoYEJ6E2KnF1FkgvzMA8dEz/eegbIuY586KptwTe75SWkVhLKmzLqbAhmcnMddLJ34/TUI2vfy5MlAmNFEHfFCAGeADCUxs8CpchOFj2X9M6jvZp3oCNkOWn+u7LaIu8F4+FluNq30Vm1owNJmJ4hBJhMJMhXHDPN/4tUjVSL8SnaOf/TWYAhzfpldXCLOPeVvzaVO3yUG9TRV5fQl/hp3Zew/JkAuYTRDNxYBSdK7jtWCdnflPg8i4ldjbq9h0DjiP8it8Hi+C7k58d0EbK4XOovKnw/cQpbcF5G3JHTbjPW/ugrclamw2GBRwZedDP9ee4995LjEjuD3TNH/o68/pN8YBCG1nx1taIBbCnQXYOyPosi3bmKeeeeaxI9LJIXa/tpOxXKXWYWV+vcvXP4T2QwSsShI0qVVidy9fPNuB2fVHLi1SkO9uef6U4RjcsrUwizPxY182bW003TocNMiHyVtvnyWeV0fa/73Pnt6cBajdkZuhCUri0GaaHWVHp7COWIDLHpJhKfA01tKHa0kSj3cYAfTzIO4iVF+IkUqeBSlaChZRN4vFDDpvq4CSDj569217ycHvm24yN2akyBTx510V9w292AKGwIUnCHJplJAAmJPEdkFVzHui1Rva6tI+qZ8R5tkIy9FVa8F9I/QQ8Fijjpvpxj79FwL4I3ORUZZe9+MJwQx3hTOH+9omqOAmQf2pmEigF20KXmtSeezV0dwCcI6L7RiZ7J6mxwtYcoAEhs824xHM+nuIgNVFgqqchGdlu7oCyOSeZe8Bi4uLzFl2mXBYQvohh8SL7eelcP3bCRepYMPf3VcvpLVE8EveyQ/cOXsUAgj0dmWW+yPXWba8f0/ifnTbbjABLFQbtYpwL2dB5r+gtQfi41F3JwvkB+orysgG048cm5tXS0MEvVkVxi9Tqd9aufq8GWM37L27sLBkj3MSvJB6OxHfgxXYN5r70YtKz35D4g2f6ziYbrQCk39e3uX0SsSMUZV2liHqFjy3AgHs3gDHJkL/yyRUVz3ApchieRwDZRTxI09/ihzddDNdhfP5IMAgeumkjG20pZ19ExlXdJczZQzScJ0mmIgE7mgmWu63b3Z40AeOm4oKnPY2oOD7NqQ5zE5YuuTrYfscu7Z6jKeLTfKW5Nr5COX82szg0WbcKolhCPXunu7luLPN7lgTldKHgsvqFJ7bTvd+69+AaxB0XoqFQQrqxxbtKiXQbHk4WI/Fi4Dt3KmnJFSv1jOgeHvZG2AXp8GDq84VF28i4lLnF9hSithlfY5C8JSpW47vBcoJdpBMTYRCXyHBZQjdPRHB+OUsRZey+x8uZTdU3AncgrXUxEUrJ9X8W0DBwy3QqhGiRyJBHbODfaOsGrs7rryjuLuLJf2FvoC1z9dWMf7HWqqWcXRlScLRPKzZ/s0YDsI6LSuUmsxqPcjZWsWFhh6AAEAWAEEBgABCZK5CgGaXzCkAAcLAQACISEBGAQDAwEDAQAMqACoAAAICgFIs2coAAAFARERAHAAYQB5AGwAbwBhAGQAAAAUCgEAQNdLsCEG3AEVBgEAIID4AQAAABcGkrkBCV0ABwsBAAEhIQEYDFkAAA==
Warm up exercise #3 (5%)
One more to go! This long string of text was left in another file on the system. Can you figure out what is going on?
S0VZID0gR2FUZUNoCkVOQyA9IFhPUgpaRUIwU2pZYk5VNDJEQzFITkFsZUJISkFiaHBlUldNTkpBazdSV0VtS0VFeUNTSVBad2t4RnlaS1RVRjBBRHNCTTBGbGJ6NWlKbE44VERoaVowRjNSU0FKS3cxMENDWklNQWdnRFdNUktCUW1SWHBGSXdnekREZElBRFVkSVVsSVp5TnBRV3NOSkFrN1JXNEdaME15QkM4RWRWRm1VQndOSkFrOUFTMEpHQVFzVlhBM1kxQjJSVDlJTkFrMVYzWmVOQlE1VEVsSVp3UTNEU3hJWlNreEZ5WklMaEowRVNzTlp3YzRCQ1JTWjBVV1IwbElad1FzRERkSWQyc3BieGhJYWh0MFFYSklHa0Z5UTJNSmRtczFWMk5NZG1zPQ==
Sample Analysis
These samples are set up to roughly approximate some Command and Control (C2) traffic between the client samples and the server we will run. To perform this analysis, you will start the server container, and then you will execute the client scripts to see what actions they perform.
Much of the dynamic network analysis can be performed with Wireshark, and some additional static analysis work may need to be done to look at the samples and what they are executing.
Additionally, you will need to craft your own requests to send to the C2 server to get your flag. You are welcome to do this using cURL, python, or whatever other HTTP request program you like to use. To get your flag, you will need to send a request to the correct endpoint followed by your GTID. Example provided below:
http://localhost:8085/path/to/endpoint/9999999999
Once you analyze the samples and submit a successful request to get your flag, you’ll receive a JSON message that looks something like the following:
{
“flag”: “Now that’s a flag: <your flag value will be here>”
}
Sample #0 (10%)
This is a simple example to get started and make sure that you have all of your pieces set up correctly to capture the traffic between the client and server.
Sample #1 (10%)
In this sample, the initial client-1 program acts as the first stage of the malware sample. Your goal is as follows:
Sample #2 (15%)
In this sample, the client-2 program makes a couple of calls and performs some familiar obfuscation techniques. Perform the following steps:
Submission Details
Submit your flags in GradeScope as a json file named ‘phase2.json’ with the following format:
{
“warmup1”: “replace_the_placeholder_flag”,
“warmup2”: “replace_the_placeholder_flag”,
“warmup3”: “replace_the_placeholder_flag”,
“client0”: “replace_the_placeholder_flag”,
“client1”: “replace_the_placeholder_flag”,
“client2”: “replace_the_placeholder_flag”
}
You can also use the provided template file to build your submission.
![[SOLVED] Physics 396 homework set 11](https://assignmentchef.com/wp-content/uploads/2022/08/downloadzip-1200x1200.jpg)
Reviews
There are no reviews yet.