[SOLVED] Cs6262 project 3- malware analysis fall 2025

Part 1: Windows Malware (stage1.exe and stage2.exe)

Use static and dynamic analysis with tools like Wireshark, Cuckoo Sandbox, and angr to capture traffic, find valid commands, and analyze behaviors such as file downloads and system changes.

Part 2: Linux Malware (payload.exe)

Analyze instruction traces to uncover communication points and attack logic using symbolic execution, loop detection, and custom scripts.

Part 3: Android Malware (sms.apk)

Use jadx and apktool to reverse engineer the app, uncover SMS-based C2 behavior, and bypass emulator checks to trigger hidden actions.

Tutorials

We provide step-by-step guides for tools like Wireshark, Cuckoo Sandbox, angr, and some customized tools at the end of this writeup. You are encouraged to use these guides to get started, but you’re also free to use your own methods.

Submission Instructions

Environment Setup

Project VM Setup

Download the Virtual Machine (VM)

Open VirtualBox

Network configurations

VM performance configuration suggestions

VM setup suggestions

Miscellaneous VM Performance Tips

-memory 2048 -gpu swiftshader

Part 1: Windows Malware (Stage 1 & Stage 2)

1) Initialization

Update the project 3 before begin

Initializing the project

Failure to provide this may result in receiving a 0 on this project

 

 

 

2) Malware Analysis Workflow

Scenario

You got a malware sample named stage 1.exe. Your task is to analyze it and uncover its behavior. How do you approach this?

In this scenario, you are going to analyze the given malware with tools that we provide. These tools help you perform static and dynamic analysis. (See the tutorial at the end of this document for how to use them.)

Objective

Tasks

Secure Experiment Environment

A secure environment is critical for safely analyzing malware. Running malware in an insecure environment (e.g., your base project VM) may lead to serious damage.

Network Behavior Analysis

Tools (all tools for this and later analysis are pre-installed, see tutorials on how to use)

What you are looking for

 

Tracing Analysis

Tools

What you are looking for

 

CFG Analysis

Tools

What you are looking for

 

Symbolic Execution

Tools

Workflow

Reconstruct C2 Server

3) Stage 2

After stage 1

Stage 2

Part 2: Linux Malware (Stage 3 – payload.exe)

Workflow

 

We provide tutorials based on angr and radare2.

Other Tools:

Part 3: Android Malware (sms.apk)

Scenario

 

 

 

 

 

 

 

 

 

 

 

Approach Overview

 

Manifest Analysis

Broadcast receiver from CoinPirate’s malware family

 

Static Analysis

https://github.com/skylot/jadx/issues/2373

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Stage 1

Question 4.5.1 (5 points)

 

Question 4.5.2 (10 points)

 

 

 

 

 

Question 4.5.3 (20 points)

 

Question 4.5.4 (20 points)

(hint: If you believe you’ve located the correct spot but your answer is still incorrect, double-check how the ending index of a substring is defined in Java: https://www.geeksforgeeks.org/substring-in-java/).

 

 

Stage 2

 

From Stage 1, we know the required country code and the necessary commands to trigger the malicious behavior. However, even if we send the correct commands with the correct country code, sms.apk will still not exhibit any malicious behavior.

To maximize the longevity of malware, malicious developers aim to prevent analysis. Since the majority of dynamic analysis frameworks are based on emulation, these developers often integrate anti-analysis techniques to alter an app’s behavior. If an app detects that it is running in an emulated environment rather than on a real device, it will behave differently to avoid appearing suspicious.

For Stage 2, we will attempt to identify how sms.apk detects whether it is running on an emulator. Then, we will modify sms.apk to remove this check and successfully trigger the malicious behavior.

 

Question 4.6.1 (15 points)

The most basic form of emulation detection is when a malicious app leverages a static heuristic. Static heuristics are pre-initialized values that provide information about the underlying environment. Apps running on a system can check these static heuristics by calling Android APIs. For many of these values, the emulator will return results that are inconsistent with what would be expected on a real device.

For example, if the TelephonyManager.getDeviceId() API returns all 0’s, the device in question is likely an emulator. This is because such a value cannot exist on a physical device.

 

Question 4.6.2/3/4 (30 points)

The final question requires you to first modify sms.apk and remove the environment check so that we can run sms.apk on an emulator, and then send the commands found in Stage 1 to the emulator and observe whether it exhibits malicious behavior. Upon success, the C&C server will generate the final answers.

 

If you have no previous experience modifying APKs, it’s recommended that you start by removing the emulation check from emu-check.apk before working on sms.apk.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Submission Instructions

(Modifying score.h is not required. Submitting it unmodified is fine.)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Rubrics

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tutorials

All tools mentioned in the tutorials are pre-installed in the VM!

 

Windows Testbed

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Copy from Shared Directory

 

Run the malware

 

 

 

 

 

 

 

Wireshark

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Cuckoo Analysis

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Control Flow Graph Analysis

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Symbolic Execution

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

python ./sym_exec.py [program_path] [start_address] [end_address]

python ./sym_exec.py ~/shared/stage1.exe 4050c0 40518a

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Angr Tutorial

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Radare2 Tutorial

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Android Cheatsheet

 

Start Emulator

 

~/bin/run-emulator

 

Add Contact

The sleeps are needed to allow a slow emulator time to process.

 

adb shell “am start -a android.intent.action.INSERT -t vnd.android.cursor.dir/contact -e name ‘GatechID’”

 

sleep 1

 

adb shell input keyevent 4

 

sleep 1

 

adb shell input keyevent 4

 

Android Log

 

adb logcat

 

Filtered Log

 

The adb tool has no way to filter by app, fortunately there’s a script that’ll do just that.

Get the script and make it executable (review it before running something off the internet)

 

wget -O ~/bin/pidcat.py https://raw.githubusercontent.com/JakeWharton/pidcat/master/pidcat.py

 

chmod +x ~/bin/pidcat.py

~/bin/pidcat.py com.smsmessenger

 

 

 

 

 

Decompile APK

Note: Omitting the !@#$% option allows it to decode the resources as well as the smali code.

 

apktool decode ~/Android/MaliciousMessenger/sms.apk –output ~/Android/MaliciousMessenger/sms

 

Build Modified APK

 

apktool build ~/Android/MaliciousMessenger/sms –output ~/Android/MaliciousMessenger/sms_modded.apk

 

Sign Modified APK

 

~/bin/signer.py ~/Android/MaliciousMessenger/sms_modded.apk

 

Uninstall APK

 

adb uninstall com.smsmessenger

 

Install Modified APK

 

adb install ~/Android/MaliciousMessenger/sms_modded.apk

 

Launch the App

The app will not be active until you run it at least once after re-installation 😡 — spent a bunch of time banging my head against the wall until I figured this one out.

 

adb shell monkey -p com.smsmessenger -c

 

android.intent.category.LAUNCHER 1

 

Send an SMS

Use single quotes or you’ll need to escape the message contents.

Note: I didn’t test with emojis!

 

adb emu sms send 8675309 ‘🎵 Jenny Ive called your number…🎵’