The following is based on true events from 2014 which occurred in a small start-up company in Monroe, CT.
A new small to medium sized eCommerce start-up based inMonroe, CThas recently begun to notice anomalies in their financial records. They have also recently received a number of customer complaints saying that invoices received from the companyoften bill more services than the customers asked for, and they are often directed to send check payments to a PO Box that does not look legitimate.
Upon reviewing their most recent set of invoices (saved as plain text files), the accounting department notices that the information in the invoices is incorrect, as reported by the customer complaints. The CEO orders an immediate investigation of the three accountants’ computers, which had only recently been purchased last month from a bankrupt internet cafe popular for LAN parties.
As a growing company, they only employ a small team of six part-time IT support professionals. hey undertake an initial check of the systems, and they find a suspicious process running on one of the computers which seems to be connected to a McAfee service with a large amount of data being sent outside the company firewall.At this point,they do not feel that they have the expertise to carry out a full-scale malware/forensic investigation, and becoming nervous of a possible attack, the IT team scribbles down the name of thesuspiciousprocess (“greencat-2”) and quickly shuts down allthree accounting department computers and unplugs their power cords.
As there is increased competition in thestart-up eCommerce domain, the company is anxious to ensure that their systems have not been compromised. The CEO quickly employs a cyber forensic investigator (YOU) to determine what malicious activity has taken place, where it originated from, and if the company is to blame (i.e., could be sued) for any damages.
Unfortunately, because theaccounting department computerscontain sensitive customer financial information, the CEO will only allow you access to thesuspicious greencat-2 binary. By investigating only this binary, can you determine:
Instructions:
Downloadwebc2-greencat-2.7z from Dropbox: https://www.dropbox.com/scl/fi/95t2w0nk2z749y ed1f3vb/webc2-greencat-2.7z?rlkey=e2740othz3n5v47dpxxrdb15l&dl=0
Move this zip file to where you’re running GHIDRA , unzip it using the following 7z command. The 7z file is password protected. The password is “infected” (no quotes).
7z e webc2-greencat-2.7z
After you unzip the malware, check that the unzipped malware binary file’s MD5 hash is correct. GHIDRA will also show the MD5 hash after loading the binary, so double-check in GHIDRA as well.
57e79f7df13c0cb01910d0c688fcd296 webc2-greencat-2
Load the executable into GHIDRA . This malware is a standard 32-bit PE executable.
Starting from theWinMain(…) function located at 0x0040297D, follow the control flow in thedisassembly. Imagine that you are a recursive-descentdisassembler — starting from the entry of each function and going until the return ofthatfunction.
Comments should be placed on every block of logically-relatedinstructions. “Logically-related” is defined as 5 or fewer sequential instructions that together accomplish a single (easily commented) action. Control flow instructions (e.g., call, jmp) cannot be in the middle of a commented block — they can only be the first or last instruction of the block!
Since this binary is dynamically linked, you will have to Google any library functions that you do not know. This will be important for understanding the return values and side effects (e.g., the memory copied by strcpy) of the library functions.
It will be helpful if you keep track of the values in memory! For example: some library calls will save data into a buffer in memory (e.g.,GetUserNameExA) and then greencat-2 will use that data later on. GHIDRA can help with this — it shows empty space where static variables should be. You can double-click any static variable’s name to jump to its location andadd comments or dummy values. Unfortunately, GHIDRA cannot help with dynamically allocated variables. Youdo nothave to turn in anything related to memory tracking, but it will be helpful to you.
Optional: Provide answers to the 3 investigation questions from above in a file called answers.txt and submit it with your lab submission in Gradescope. MAX of 5 sentences per answer. 5 bonus points per correct answer.
As always: Post any questions or ideas on Ed Discussion! Even code snippets are fine, as long as they do not give away a key answer to this assignment. Class collaboration is encouraged — It’s us versus malware! If you’re not sure if your post is safe, send it to the Prof/TA in a private post to verify.
Exporting Comments from GHIDRA
-5 points for not following these steps properly.
Default export settings in GHIDRA will truncate comments!
Click on File and then click on Export program as shown in figure below.
This will open a new pop-up in that choose ASCII format as shown in figure below.
Click on options to increase the end of line width (max comment width).
Grade: 100 points
Grading Criteria:
The grade will be based on how well you understood the functionality and capabilities of greencat-2.
-10 points for each key malware functionality that your team fails to comment or entirely misunderstands (e.g., your comments say the code is reading a file, but it is really writing to a socket). All key malware functionality in greencat-2 are reachable via careful recursive-descent (there are no anti-disassembly tricks). I will not deduct points for misunderstanding single instructions.
Bonus:
5 bonus points will be awarded for each correct answer to the 3 investigation questions above.
Teams:
This assignment can be done individually or in a team of 2. Please join a group in Gradescope if you are collaborating.
Do not create or join a group in Canvas. Canvas groups are different from Gradescope groups.
New to Gradescope? This link provides instructions for how to create groups in Gradescope: https://help.gradescope.com/article/m5qz2xsnjy-student-add-group-members
Zoom can also provide the ability to collaborate and video conference with your teammate.
If you would like to set it up, your team can collaborate using a GHIDRA server. The instructions for that can be found at the following blog post. Make sure to configure your server in a way that is not publicly available. This is outside the scope of this class, so we cannot provide IT support for GHIDRA servers, but please post any questions or tips on Ed!
https://byte.how/posts/collaborative-reverse-engineering/
For people new to GHIDRA and would like to get some insight, here is a blog post for that as well. https://byte.how/posts/what-are-you-telling-me-ghidra/
Submission Instructions:
Upload your commented ASCII Listing file exported from GHIDRA (called submission.txt) to the assignment in Gradescope.
Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check for correctness and provide a grade.
Upload your answers to the three questions in a file named answers.txt. Do not zip or compress the files.
Note: Gradescope will only check the formatting of your submission. Gradescope will not automatically check the correctness and provide a grade.
Note: You can download the webc2-greencat-2.7z file directly into your lab environment. After you are done with this lab, you can submit your files directly from the lab environment (Highly recommended). Doing this will help you avoid transferring the file from the the lab workspace to your personal computer.
Transferring Files:
To transfer files from your personal device to the lab environment:
Create a zip folder of all the files that you would like to transfer to the lab environment.
Every GT student has Box and OneDrive accounts given free by the institution. Login to either of those two and upload the desired files.
Now go back to the lab environment and login to either of those two services where you uploaded you zip folder. Download folder to the the lab workspace and use the appropriate 7z command to unzip your folder.
Additional Resources
The following video shows how you create header files and then load them into Ghidra to use for setting datatypes to whatever you defined. https://www.youtube.com/watch?v=u15-r5Erfnw&ab_channel=0x6d696368
Is ChatGPT (or other AI assistance) allowed for this lab?
The short answer is yes, ChatGPT or other AI assistance software is allowed for this assignment, since after all real practitioners will use all of the tools at their disposal to fight threat actors. Please keep in mind the following, however:
Do not directly copy anything from the AI assistant chat window. It is crucial for you as the student to be able to articulate your understanding in your own words.
ChatGPT among other AI assistants are notoriously bad at interpreting assembly, especially assembly that a malware author is intentionally trying to obfuscate for a human analyst! Do not blindly assume that the AI assistant’s interpretation is correct.
Often AI assistant’s interpretation of assembly does not capture the true intention of the code, and instead regurgitates the actions of the CPU for each instruction. We are expecting your comments to encapsulate the high-level reason for the code’s existence, and it is not sufficient to explain which registers are storing which values without understanding the underlying reasoning.
Reviews
There are no reviews yet.