[SOLVED] Cs6035 projects malware analysis fall24

Phase 1: Behavior Analysis | CS 6035Phase 1: Behavior Analysis
Phase 1 (50 points):
Analyze your malware samples (50 points)
You will investigate and label some of the more sophisticated malware behaviors from the five
malware samples we provided. Use the included JoeSandbox reports to identify the malware’s
behavior. Note that malware samples can share behaviors. So initially you should assume that
each malware we question you about below has every behavior listed. It’s your job to determine
if that assumption is actually true.
Hint: Look at the API/system call sequence under each process generated by the malware sample
and determine what the malware is doing. Note that each JoeSandbox report may contain
multiple processes with many different system call sequences. If any of the behaviors are seen (or
attempted, but not necessarily successful) in any process in the report, then that malware has
attempted that behavior. This is, of course, not completely practical, as legitimate applications
may perform the same actions in a benign fashion. We are not concerned with differentiating the
two in this assignment, but it is some food for thought.
Clarification for attempted: We mean by “attempted” that a specific action was attempted but
failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key,
for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to
change the key, that is an attempt for our purposes. But if you have a more generic registry key
that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the
action would not count as an “attempt”.
You will encounter that the same API functions can end with either a W or an A. This is a standard
practice in the Windows API, and this document explains the difference (either one could in
theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode
in-the-windows-api
For each of the following questions, mark which of the malware exhibit the identified behavior:
1
1 of 7
Attempts to get victim to disable security protections
10/5/2024, 8:36 PM
Phase 1: Behavior Analysis | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2 of 7
Microsoft Office key deletion
Microsoft Excel key creation
Creates registry values (any)
Drops RegAsm virus
Issues signal to cause immediate program termination
Malicious file most likely programmed in C or C++
Detects the Mirai botnet
Keylogger attempt
Attempts to copy clipboard
Hooks registry keys/values to protect autostart
Possible PFW / HIPS evasion
Uses the Windows core system file splwow64.exe
Drops a portable executable file into C:Windows a. The term “drop” in the behavior “Drops
file(s)” means to create (or attempt to create) files, not to delete files. b. We are just looking
for dropped files for this behavior.
Looks for the name or serial number of a device
Attempts to obscure the meaning of data as an added layer of data
HTTP GET or POST without a user agent
Uses loops or otherwise needless repetitions of commands, such as Pings, used to delay
malware execution and potentially exceed time thresholds of automated analysis
environments.
Attempts to override the domain name system (DNS) for a domain on a specific machine.
Possible system shutdown
10/5/2024, 8:36 PM
DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with
your answers to the 20 questions.
Download the submission template or use the JSON format below for your answers:
{
“sample1”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample2”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
Phase 1: Behavior Analysis | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…
3 of 7 10/5/2024, 8:36 PM
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample3”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
Phase 1: Behavior Analysis | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…
4 of 7 10/5/2024, 8:36 PM
“sample4”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
},
“sample5”: {
“behavior01”: ,
“behavior02”: ,
“behavior03”: ,
“behavior04”: ,
“behavior05”: ,
“behavior06”: ,
“behavior07”: ,
“behavior08”: ,
“behavior09”: ,
“behavior10”: ,
“behavior11”: ,
“behavior12”: ,
“behavior13”: ,
“behavior14”: ,
Phase 1: Behavior Analysis | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…
5 of 7 10/5/2024, 8:36 PM
The submitted answers should be in the format (this is an example only):
The naming of the submission file is not important, as long as it is JSON (“submission.json” is an
example). Incorrectly formatted JSON files or typos count as a submission if the submission
attempt fails. We have provided a validation script named “json_validator.py” which will check
your file for proper formatting. To run the validator on your file, use the following command:
“python json_validator.py /path/to/solution.json” at the command line in the /home/
malware directory. The validator will either return “JSON file correctly formatted.” if the
submission file is correct, or will return the errors found. It is not required to use the validation
script, although it is highly recommend to prevent erroneous submissions. We will not provide
extra submission attempts. This validation script works only for Phase 1.
You will have 5 attempts to submit your answers. Improperly formatted JSON files will fail and
count as a submission. If you attempt to make more submissions than the limit, your grade will
be a ZERO for submissions past five. You will want to choose your best submission of the first 5
manually in Gradescope, but this MUST be done BEFORE the project deadline. No late
“behavior15”: ,
“behavior16”: ,
“behavior17”: ,
“behavior18”: ,
“behavior19”: ,
“behavior20”:
}
}
{
“sample1”: {
“behavior01”: true,
“behavior02”: false,
“behavior03”: true,
“behavior04”: true,
.
.
.
}
Phase 1: Behavior Analysis | CS 6035 https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…
6 of 7 10/5/2024, 8:36 PM
Phase 1: Behavior Analysis | CS 6035
https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/Proj…
submissions or requests to update the submission will be accepted after the project deadline.
Please submit the answers in the JSON file in the Gradescope assignment Project Malware
Analysis – Phase I.
Disclaimer: You are responsible for the information on this website. The content is subject to change at any time.Phase 2 (50 points)
Overview
For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.NOTE:
When handling actual malware, additional due diligence is needed to ensure that you don’t accidentally infect your own machine or other machines on your network. The overall process for setting this environment up is outside the scope of this project, but you can find many helpful resources online along with CS6747: “Advanced Malware Analysis” if you wish to continue studies on your own. There are no malicious malware samples in the VM.Warm Up
To get started we will work through a number of simple scripts to understand some basics about de-obfuscation that will be helpful in later exercises. Malware authors will often obfuscate their payloads through various means to attempt to bypass IPS and AV systems, as well as to increase the effort required by analysts to contain and remediate a breach. Understanding some of these techniques will be important when we go to analyze some of the other samples in this project.These are some basic concepts of static analysis and are often used by malware authors and red team (penetration testers) operators in their work. All of these warm ups should provide a script for you to execute with your GTID and get a flag if you do so correctly. De-obfuscate the samples below and execute them to get your flag.Warm up exercise #1 (5%)
We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.Can you figure out how to get your flag?base64 -d <<< IyEgL3Vzci9iaW4vc2gKYTEoKXsKICBlY2hvICJPaCBsb29rLCB0aGlzIGlzIGRlZmluaXRlbHkgYSBmbGFnOiAkKGVjaG8gZmFsbDIwMjRfY2hlZXRhaF9leDAxIHwgc2hhMjU2c3VtKSIKICBleGl0IDEKfQphMigpewogICMgY2FsbCBtZSB3aXRoIHlvdXIgOS1kaWdpdCBHVElECiAgQj0kKGVjaG8gLW4gImZhbGwyMDI0X2NoZWV0YWhfZXgwMV8kMSIgfCBzaGEyNTZzdW0pCiAgZWNobyAiT3BwcywgSSBndWVzcyB0aGlzIGlzIHRoZSByZWFsIGZsYWc6ICRCIgogIGV4aXQgMAp9ClsgLXogJDEgXSAmJiBhMQphMiAkMQo= | shWarm up exercise #2 (5%)
Great job on the last one. This one is a little less straightforward though. The attacker left this long string behind. We think that they were trying to pack something in this string by compressing it, but we aren’t sure what.Can you figure out what is going on here?Hints:There are ways you can check what kind of file you are looking at
Keep peeling the onion
Scripting is your friend
N3q8ryccAAQAZ1yj3RkAAAAAAAAVAAAAAAAAABubYAIBGXtQSwMELgAAAAwAjXQsWepMVGQMGQAAACgAAAcAAABwYXlsb2FkQlpoOTFBWSZTWeC7Q+MAAkJ/////////////////////////////////////////////4A8fPfe87rHL6p3x9N7tl7s+rbdvue+p8fPdvG531z7X33Vd5nWvrc+z7Z3173vp98764yqfpMp7U002hNoCT0ynk1PExR40U9oJ6mk9Tw01MFPaaBTYExMaJtNTCnplHkNNG1Rsp7QmRqbEzSmynk01P0jGk09Jqemp+jQU9giZpqeg0NU8yaTU9kT0KHVP0DTUZNkmExMEwTBNop4KeTQaZT9Rk9E0yT1PTEyepHmqb0p5pGmp+pkym0wAU8pvQp+pqeyKeGjCp5ppqn+oAU/IaamaMlPSeKemmCY0mmER7UwGVEKeT1DJ5TTamp7Sep6aExPQDU0nppsUaegj0NE0xNMGiBphCZoaYp4D1GmphpkyaYhkmym0U8o8jT0DQg2hHqmMEaajbSh6JsJpPJPNTT00T1Nqh1NlNqYFPAKeCZpMCYAIzSMNCZNMmxMk8mJoDQNDKeqe0aJpk0TxND0TTCYR6CabQTQm0zUyabSaZJ6antADRopsTBGCTyDTR6FDqbUyMnqaaegmTJp6j001HqbU9Tyj2qaejTU9NTyeqeSek09CeoxPSPRPUAybUMTTNE9R6mmTZI0DTagabUYnqHqaY0g00G0h6TQxNpBp6mjTNRtEGaJieghFNJMJpqbI1MTZMjU9RpkxogxGTamgZNpGjExNGQMQwmmNQMmTRoyZMJkyGJ6mQyGjINPSYjRo0DTNT0TE0xNGT0mjRkZGmCaNAlwhyj+j20Oz/smSHICVhDABwiDOAgaxACoIYAA6AgAiAgABi9COMDMJsa0SuXWRkI4iGSQkyxLxn4a7VQD2CGVBb8QfNlXwopdWaocoyVI56CMk0QBwuERXmAtBspTCt9xCQsoOcPjWHxSkD7WkCF0+9KCKxra6JIhVuxo+3j/v+X/MrFQdqknJLgiXHIDas/pvDGG+4jO1od6Olm8GB9k6P/X+dC4zmOho5vYCvAeugAy8HrejfhSfudbCdVxxRdGFYCer0L05G3tPZOQi82Gq64ITxyFA8YUL1mN/y4AExr8Rjt19WoFCYV1xZeOTrb8cINlOVLdnVTA7ArnE8c21/uO+mBh1KfLrpzoL9WceRZzIsWYiL7b1j9ZU494S2uDhXSrLeriiwuQzNjZiIuOTN2zcHAVQt0qvWb5plLwpdTPTeBzK2DxZMRTQ045ipjmyC3zcsTGlriciB2SnLGDRfBmf3digxbq0HpLqS3TBgx1V36ul27nDEA/ynX4gccTc3Yl0lxS1bXAjNk/3i7p2U6pCRb/TNUuQEzx+MopaP7FdupNcj+egMwISC5tBxVEaYYcEklnN9apdHmgR/E1DMzqqXME/yoYl5pQd43DWJqUJHqKWehJMHPysfFdNJXPLDiBvWl/uJd7HCxO3UTWBg0HcIJIAJG9KphVmZnJxn4bubkoTBzOMdzTgmbALh0Arr8yXEoF7grK3O72xLJjg7TjEMJcH5CD8lVlGRFDGIyR2SCOoCceI4dOs1Zo0SWRUfQKxHlfKU9VEEiqNUJiULDKOJar4FH8Yb7LlPrvRtbZi0ST1df/Y30t0Uff+yu5lNJO5b2e+MtHSCg+xL09t8e9xaHcJm9vBA+J4h46O/z8pmkHJlRShphXwG6d3Yog0zSZ5scpuQ3m9zGXKCvwmvq+GJcC6a95ZT859SL6191mHOwkhEAs6nq1gXntJXNBNdU4h/1z7pJyhSk9qHEzbbCcBgN1E+NWzLs2x62g4Wt7ZYsrGQcFpIgJ4Fw7PhpC2bjNM8HFB/FVU0ks6WKdgHskqubj+W3HdIZ6qCgmWlgZzxXDkUpX/LkbXBCK4dir2izw8PEfhYdlOeoYlbNlTZM8xshalWv+Lnzh7cW3qnNeiCd93p/bExHhokoQKia8Zapdo4T3B3cU9omQpAC52EWEVpZ5msMuow3xQEdVMfgm9fRcXu2UbYkycb5ecfgI0emBPc5jNa0D7viSV9IyoUF5ozrfQ2ohsOs8MSsbQ65aNBelbQzsB6G2J8Siaut7A63/I1rfeaXC77nmYCEzBlO+F2CtUKWg8uWH9rPDTykKj7wMlIY8KpZ691IX5zQyvfMepN9dT5orNU8aOAgPvits6krtJ8HAr2foEb489bSDq5B8D3zjjQdzpQ7+43xMkDVy0+Tt2VAkLwVzB0MdHShSJvMMRHvN5V+mcNguhGchwQI40BDBACBT+0bnJkiAw0sOgEAxABDCDplTwJayInnOG98kqUu+rnuNxnSF3lgrXaErrLikXVYK6Upm2MPHvrIqYXw5zeyVnLF8KTsLf7upjJ7mzd39SZo9KFobxzS/CqrQKdUKOv7a2LiOsN3Ng22dL+3q3SOBgpw0BkxFMdszZYq4Xl7FzTcObd3L7QufLR/qClJpr3DSogpxF+Dpjv0b58LJ0eipJGWXJ/Q8CVyzxJrTSBqqOM5aN8Fm5WsE4seIkmHK9oSpkkicTKyphErbsttzFu3zSojtH672Dr+ifdV2asV+nXJXKI7k4bNnRAPCw8ekgZ7RqOpUbFgvnxUTmYgx/VVCvnjhxbZK18XPLemq596jzwG7TLPCrZSiMOMBaECj00/ovCeC1O8qZu/+EFwFq2RmqkWUfxF/nIp1g6cOZepq1ivY9Bl98BHytDpQt0/TWfdg6GQ2UkliF8o3SeRtNWKGD6crQL00ghWLJm78l7dBcYC1JTgTsVDDk54OpIK6peF0/OTk32iHY+Hf/FyKuCvyCj866zfdVWsanNTcnwOpzq6ZGeuSVn/ZnKmM9Ha3PKNSBDn4g19PiuKC1cSS6IZ+WnegqTxfLcUOjRjqM4ldoPv6Xz5IGZ1Ej2f8jc0amIQXEv2fAlDhLnhjm/O5x6FNCeJzT3Lnqz4x1gIHV7V4LYugFo39ynv6Lbddizu/RgmcA8fsJv3izErcDOCwjVFHLjhPAd6oCF23T+DGrxmeCuw3ebHc8r0eVjQVOHiEF3EnrL1bVp3lIBKwNChyaWnSMS3UeFxbbRuRxYby0pwBu7o0I0vA4ZofwkVTzA/lucr0zXLae1aWBicMalaNmsddI9zxHmi4Tl8PoaoFjgf3Ic3d7kHhaIkzGUzy4tj5X4Rw1o+POfi5Mc/7mUhEjdrb6cNIXafOTwMXj6kbSQ71xOOChhu4md3odVnY1B89YcV20cPgvnrl5ilchVb52E3+DHIxIUXepx0ZFKdrcmtRLQGbNKzGxFOyK+yHAsqbwpp6XdosnP5tZvww9ijXc9TUtBweq2a7Jz3cHD6sidYZBOj1NkYkbrvFCSq2CvKoZPmpzA20IyssisCWPX/YB12QVTid2zVq1MMw0FX8OXyczX8G2x4kq4ZPSClXOIYs2bJWBIcWUyYRu/TrbXllT2U29uSIbbW/nZg987oWEmUuQGKQ3KZr67ojXjS1MUDANYuDwyvUq3Z42ZPqTijYPOvO+5iC/x5XcgPafUWNPHtkYgwSzC4qho5/nnJ8AujXUiWIPV6h+NPyxCtDw2VzytaxAjujUtC2Punl9uWPgmB4w/gc9cJkJ2weZZBnOfIro5ZSyPaMCvdG9yTITEmpswAFNCFk4mpgcv+2bYceNzOZM4CVJNLwiql10ap14w2ncm2cLVExFaQs0TcL02qHrm2qxrp9FeVV/bIjLALHip0F11QpNJ1zO9CTyhtt94ztrHbuAbxvF5+doSx4kVWcFElb2C89qtv2Jn2vcLKH2j6VTO+Lih9pAq3m6x+Xbt6MUcsadrWMaUtTQQbjUjl7eAnuiAjJm7BUMrnQjNal5S6TvVTT34gtYtYCABqNDPZxCwNMy73iBFURW6TpmyxUJ16VnW5L0LLIU9b29I9DhsNISNAdnIf796cbFPyWt3RiMCWgdvEQoLWe9PG31yqJ6DBp9FOUgaUG2QHNT6wSm+ArQ8VvFvjGmz7KXjAlyFbCHmGF4S/mV9tP4+Et53+B5KII+fUEjLp8wUM3vATYmtvL4RElCtFlL/FlVLLvJioyyrhA4wRxxzRoTUeDGiUkOrkV/64kGEtqxs857Mmz15Snof+F01Fe1YpL1DjNO0L8OU27vbA9pOLk+I0Zc2SObivk+JYvJnBCP/QGbphNYKIMvu75TY6mJiCGzeo0rQmff6zkp80yPJT+wtXahdwBvbhZ0bNoKj/BrQc3m31jdCidO8n7AUocmx59aEf86TfSn3Qi069BOXHzeCOj9nRK4jEMnHF9rURhcaV4n2LT3GKxVqGgdFUERQ2SLY7Q79x94sihdY+9lWFMX1iC6bGQDFRLxAzgn0ohOot0mKh+T4bVQVQI7uTIkY00w7fu/qq9crKgBgoEjEs/LdHPpU2DhEza3nWuNYOdmx6bqHF/XDbVm5z7LIATtRMwNmbQjX2Ugs3SBg7p8qnxG23IsOa+NP7LL76n87lQA3LoZxH5rMaiK+dI7qKiIuQHaPa6JorgIuKbHsxlyCMkgU4dwQXsdfJxHxna5odkWiAG5ZdhXW3VQ8nopWZI+rmJfBHEep2MgblOuBFWkm/0lT8ys/EMJumLOcMqeGmxEzeYEEXRO27ngH4kn7nvT+EBqwuxhnGjL6c7DhJvaKAqBk8egm/02F3uVmMGxjhJsTF0NnazrUBHwsW587DwEKG3dxZQFVKyPEM1Uv6C0Z55IZJncTYT1IXW4n3x/DOWrw+bHVD5jArCzBZTHjbVQYX5uVMnqde1hNAQVuBFzqs6/P4c/bLfpYatuVKZT46LMS5d8KyBiKzpuw/UuEr/3I1UzfcsTIct/MMd082sYLscjWZ9WrcchkmmcCIVMtqvJ4pp1FbHpL3nqUBCEgR8H386gT5a6Pqhc9Ia+rtQW1QQeTduLvHPF31hZ1ItGw8yKYC9e8b4Jq472MW4+si6Mnut4/CqkjARVD73A/dGeQhpc4ZryWNQMFoTDskn0v/HKM8zu9Dt72F6oUNZ0AswZ2It8Y/FZbMozrMpk1pmX9FMzyK+MqXx0bdECi8i1rVTEvPa8nVlOpjtlhcw557dXPmMwWz123Pv4PSdW/XrTUQJ3+uNGrbX1uxY1TtA9wMtTHjo9rV3BUNbwCcnDa2HxjJx/NEl4pHRxNYZOxQmeUhyjKrjkC0RYnL1HRubtsrtdUsnydKyjzdRptej/1SCyahp+p7SKpC2QS0whV7ehqAggao04/tipnbxjA6fvQHcZDFVP1cx49I0ZFHQZ2QUaPub8MxND86ntH5z+lkMa+tT3xo9K4p0wzEl+PFd9UDy3GQYdJJqtpEox+NYNF9L8wL2fCMdY5YxYwhbPN88KILzYMhdsNxwVmLwIlOerSwuxhpj8vYYC0pbCuaq2bSdlXyu19EQeGIJ/y+zNFQxttQ7BDFui9mNX7zGvwix325bntZJWRarHJn4eUaaKp6bJJAgRDt6jb4tWCvJLW86hGwV3A06w6uVQSxqV7zLbB1RI/NBMQaZpUGg6pS9Apnol96QkeiLdMlEsuP8lHD3XIvnsGWCxlXP8e02NFzp8rc42RP7/JqaC4Z6u+LR+0HtK8OlPOXk+euoaZQ5Bc3s83zG2lP7xFYvlkFR4iB6A6FAmPp3waHWF6c/V2n6Jb5ld6bEnQXjcd3R3zNVEeQHQ+X5KnFrY130vN03nZCiAEgj9he7m96MNDKTiS7l0R6TvrFSVbwyBLFj98TfGd6LOpqbxn4FkXzV3IMbhQtxDAMA23al1VpliWHIjS9Rp/R1aLW6bwhvbLUWTavkD3eWd/RjMDT6h0vF2Jkxq3aspE2jeNtK9dueeUsE3JecwZBuocSYkQ+F5XkWggrfaejkXOoeNiZpm7zPXIpXbom8cIdCU2SRcgGtMwY/35gYtoil733o1Z3RJ2stDQuwbX9D4cF7slRLhV8P1QsNeQCfMg8lrAhAahpM6FdX0cQwRRAUEnYJYx1XAsEW4nAOJo1jb1OuZ5UoxwRUHz2h5QP82zOYpWJH5sqlAD+7RHvXvKN9NrSCBXnRtxRLEnSpQCsdyUQQ97+Cur6YcG/1/Gn8d+kqnpMQIeonEV0MQ+V6InseKuMgE/YHr/bIZhtsBO9rSn0jHpBMfJ5oSeslPpmxciHqSyzqvPFv+uz0nEJeWuTc8aTvLgHO53IVm/zgiPgMTlgiJrw494ITKrn0rsdHiUk+E5sh8Wx+t/pAHejqxCawBqgoS0mZJ+j5TuIQxJ7gsUJu4ehqG/GgF9Xu4AS7t+ToEosA12cuh6hGCbrdG29vgBaudKhjl5iVAXEPMdZRakVeOAvMLTmDa2nyzWCtlP3gzLEc9WNGQc3IhspSd30H9HHeq8MpYyIN3fQDoknR63vsee319GGHArOP2iZiATlBDHXL8RiFeZbpSeA3JIgea3XQy+v0pQOCsahZW8VAX0ihHjyIG2YesSuGFtr3J9JOLXdxYPCu6zTVC5QWTZ9ofuORKhYWAbqhJhUfYHHMMkeF2TH4eENW7XOdBLKWxbH7Km7tigAy2KOxEw+uiV7iTLVaZbQp49neefFWYTYosNWFt1Wy8rg/TNOaXV31O7vkEPowqhIuNAVY8Z+WkL47JsgE4z5gkK5sWL3ccy+pFwaZHQztHPF1XZ874nQj2iBv0nwUSmNR7PmxCEBJ+L8HfJi+9ruGh9OGWViuY4TIukYhMHnztzQatLBXJ/hQtARP+UIT9Ieh2U1Ly7R3V1UTP7v8+0a27QAfOZ4uJixQ+o+Gu9ofIfXcG/xT2i5NYdNG2R4vjLFRFzHIp3FbKVeZSG8RVpnPBx00UKjvzTAfnJpwS0qhoXZ4wPcBE1/k1ob4HMJ1pcXMYftHUqhgSp9diE45rdLLjDcBhwevKeDublLFJCdNXN1SdHIaH8E4qX/Ol9g2mL5Mi8OCYOIKgMml8G/twqD6b3N1nMf6urpW5PtDbsnirLIxh3PRlG0tFilGRt0SDRb3XbMqAL3qaIfo/nFcgBRUx+p10Y6WSvd6c3f21rCsHrz7XJ34kPHtI5euN0jkzdRyjQLu2zhZ4UJodGR9gXlkVF3J5uX1oENZfcZ51uOuQ6ITWqtBoGPN3YGyhCUrrtQ5p6aEuKIBL0vqovcIRjNPsAdbTI8AfF84jiBsCuSvaqLdT2tTUgpoA2HvO1QuBripzBPLOD+vSLRrSgSDLMI19Ek8U/WVj2jwc22m+Ber7wIjH5t5vrli2yZlvwg3jdEMRlYGjVaA7xdbXQllXo2T7lzPkLZH+/5U07yU+EwVKmDlkKieYJ730v9N3HG9a37y4zHDEUYOyO+t+d56iP4KF8HUlIoQk9vt7PR+52gvZAZfZv8vVaiK7nDNyifLKvSuS8tT09YnFhPO7RUCbyto4TL2kQSSsOh4I43sjuHCOCKVES0YaEimZARVRu4J96Tuncu5T6bAjS2fypm2AbK/A641DXNb5jL+FLwO8Y8rIN2VbCd7zG2UEBteEhnGRTyCr8kbmK8wojj9/PLuZ7c0HMamTT5SLbDn1qs9WC3gwIi7J076EDZxkraUNQyq4oThoNbgNFUePUG9sP15curLBDSwNf5YEpWNvaYZB4jJ/IfhUvHbKn5BAYMuzmrVqLLI+Oom53H/WKx8dKfTUFWTPsK498MdogUb5Y5dt8nEhKA6exjciRoEbKgxMIxIXuD/H2oQhmtUsawyBr4gndoetr4EUyOQcm//JamGy0ZvzYRCKKKGh0RlGrnhreGDx9jaaGu/3kOkJyU0xvtrLbi9BON5BkeWo+Bv33wEw/kCFaC1kQkLJDmlQ7A9ixDvVLkOPPBC/uiRg4BXHQDH5wcl2q2qVJ3gtRjcn9TpSnhicOfDZ/VETx02lU3/yl/42gtaAuoqqg+TTnV+d7UZxY3JJeMnDPRDTk9gDA1xmewyAdJ4Ar+x0duGD74Y1Xsdw0uMqdpWkp/IOra8Ro2/WNak0vnkcS0rgE6evqCJuFwrAZDgWbkSusaO8BfEUEsJ4kbbP9um4Glpo0UzaJwEvXVUllciuze7iirpf55Hl9dgB3S6kZqPcPJX/uraTYbNuoiXlHlAPm8Ci5maeenmqzlcKkARFvhGF6ohmPhHmkKYZwlP+UWZqFHGmBO77fQ+yZcsh2dFNcqNVux/QqM+ir6D0tjlt4HaE5yYPv5nNqCDA/XhxetKQ3evR26M5pyTvNVy6aStm/FNFH2RXNiseGlut0ZDxeyZiUXaH1vphgceO9mdlthyCof8RDqhGcZQNcnWYFeheWSeIPuWMJ/GoEXvQInV8xA4yHQmj9RQA52+mTUTqcfD80wJIq5C8Sc4KpMKfaNTLwFRWg3bD4XE4x+h7qpnKlIZ9G/MwMZwLK9pYQ/P+tiqz6IeXWX0eYJCAQL5sr2KVN2ue1nbKBohtv5GOV0qFxLIRrlM4xYE7blX75ZGgTvcdhZVxDZKQQ/dg/A036GF3mrGjW11mji5JLXY35UfR6D6BCEfEdDVuwFajzyg/EQG/2+FyemtLmu81G5i+a3Xo3g7W0pkNfD5z3HqoQP/F3JFOFCQ4LtD4wFBLAQIuAy4AAAAMAI10LFnqTFRkDBkAAAAoAAAHAAAAAAAAAAAAAAC0gQAAAABwYXlsb2FkUEsFBgAAAAABAAEANQAAADEZAAAAAADgAFgAVV0AAIEzB64P1kKz8RZsJwHg7tNLQfSvWRZltsvJv9upyLShNekZ/XcQIXL/FgAB8KlDzGKwXMoSzbKl5s2/kK0vc2KtcmMnmMnQWD8gKmsGCippsgAAAAAXBpmAAQldAAcLAQABISEBGAxZAAA=Warm up exercise #3 (5%)
One more to go! This long string of text was left in another file on the system. Can you figure out what is going on?S0VZID0gR2FUZUNoCkVOQyA9IFhPUgpaRUIwU2pZYk5VNDJEQzFITkFsZUJISkFiaHBlUldNTkpBazdSV0VtS0VFeUNTSVBad2t4RnlaS1RVRjBBRHNCTTBGbGJ6NWlKbE44VERoaVowRjNSU0FKS3cxMENDWklNQWdnRFdNUktCUW1SWHBGSXdnekREZElBRFVkSVVsSVp5TnBRV3NOSkFrN1JXNEdaME15QkM4RWRWRm1VUndOSkFrOUFTMEpHQVFzVlhBM1kxQjJSVDlJTkFrMVYzWmVOQlE1VEVsSVp3UTNEU3hJWlNreEZ5WklMaEowRVNzTlp3YzRCQ1JTWjBVV1IwbElad1FzRERkSWQyc3BieGhJYWh0MFFYSklHa0Z5UTJNSmRtczFWMk5NZG1zPQ==Sample Analysis
These samples are set up to roughly approximate some Command and Control (C2) traffic between the client samples and the server we will run. To perform this analysis, you will start the server container, and then you will execute the client scripts to see what actions they perform.Much of the dynamic network analysis can be performed with Wireshark, and some additional static analysis work may need to be done to look at the samples and what they are executing.Additionally, you will need to craft your own requests to send to the C2 server to get your flag. You are welcome to do this using cURL, python, or whatever other HTTP request program you like to use. To get your flag, you will need to send a request to the correct endpoint followed by your GTID. Example provided below:http://localhost:8080/path/to/endpoint/9999999999Once you analyze the samples and submit a successful request to get your flag, you’ll receive a JSON message that looks something like the following:{
“flag”: “Now that’s a flag: <your flag value will be here>”
}Sample #0 (10%)
This is a simple example to get started and make sure that you have all of your pieces set up correctly to capture the traffic between the client and server.Start the server
Start Wireshark to listen for network traffic
Run the client-0 sample
Figure out how to get your flag
Sample #1 (10%)
In this sample, the initial client-1 program acts as the first stage of the malware sample. Your goal is as follows:Execute the client-1 sample
Review the network calls
Identify and analyze the second stage
Figure out how to get your flag
Sample #2 (15%)
In this sample, the client-2 program makes a couple of calls and performs some familiar obfuscation techniques. Perform the following steps:Execute the client-2 sample
Review the network calls
Identify and analyze the obfuscation technique
Figure out how to get your flag
Submission Details
Submit your flags in GradeScope as a json file named ‘phase2.json’ with the following format:{
“warmup1”: “replace_the_placeholder_flag”,
“warmup2”: “replace_the_placeholder_flag”,
“warmup3”: “replace_the_placeholder_flag”,
“client0”: “replace_the_placeholder_flag”,
“client1”: “replace_the_placeholder_flag”,
“client2”: “replace_the_placeholder_flag”
}You can also use the provided template file to build your submission.