Lab write up. General Physics Lab writeup guidelines 2022-10-18

Biology Lab Write Up

Lab 10-2 The file for this lab is Lab10-02. After this we run the installation function of the malware with the below. Basic Dynamic Analysis This details analysis undertaken and answers to the lab questions in Chapter 3. Question 5 What type of encoding is used for command arguments? This malware was initially analyzed in the Chapter 3 labs using basic static and dynamic analysis techniques. Does it match any existing antivirus definitions? Laboratory Experiment Format The format of the experiments in the manual are as follows: 1.

Lab Write

Stores offset address of next instruction. Answer 1 Given this incorporates anti-debugging techniques a good place to start is with a disassembler rather than a debugger. This leads us to believe that the malware obtains commands through tags which is similar to Lab06-02. Answer 4 If we examine 0x00401133 we can see that a number of Hex values are being moved onto a relevant area of the stack segment. Lab 1-2 This lab uses the file Lab01-02. The method of how this is done is generally within the stub. What we can see is that this is some sort of decoding routine given how it loads bytes, loops and shifts bits.

General Physics Lab writeup guidelines

Do not include relatively trivial things like turning on a switch. By Base64 decoding this we get the below. This continues to open a new web browser pointing at this webpage at regular intervals. From here we can use OllyDump to dump our debugged process. This method can also be used if we are leveraging ImmDbg ImmunityDebugger as our debugger of choice. At this point if we look closer into the memory strings of running svchost processes, we can see that this malware has used process replacement more commonly known as Question 2 Can you identify any live memory modifications? From this output we can see it is the starting header shown when cmd.

Lab Write Up

Summarize the basic physics of your experiment. Question 5 How can you use this malware to get user credentials from your test environment? After this we see what looks to be unusual comparisons taking place. If it has a not zero flag set it will jump, yet our disassembler has trusted the false condition of this statement. Cover Sheet: Title of experiment, your name, date that experiment was performed, partner's names. Here we can see it is querying WorkTime, and WorkTime registry keys. If these are disassembled it can lead to 4-bytes being hidden from view. Question 3 Are there any useful network-based signatures for this malware? If this was setup to alert on any traffic to this domain then in the case of a compromised domain or a domain which is reused it would be very easy to make the rule too broad.

Practical Malware Analysis

The coyote skull had a much rounder nose than the deer. In this case it uses a specified domain name, uses port 80, always fetches a specific file, and uses a custom but unique User-Agent. In this experiment I will show that the finch will continue to evolve until its beak has reached the optimal size for sustaining life, when changing the beak size to a much larger size we will see that the finch will have no need for further evolution of its beak and that its population will become much more stable and consistent throughout the years. The other imports are common among drivers; however, this particular import gives us the impression that the driver will be getting a pointer to the current process it is running from, and in essence will be either getting information about it or modifying it. By stepping back to what is calling this we can see that 41h or 0x41 in hex is being pushed to the stack first, so will be the third argument popped off the stack, and in this case indicates our key for decoding.

Analysing Link List Traversal Linked List is data structure with data records which contain a reference link to the next record in the sequence. Question 1 What is the purpose of this program? If not, how can you decode the content? Question 8 What is the significance of the. How many at a depth of 2? Question 2 What happens when you run this malware? This is based on an instruction and whenever the instruction occurs it is checked. At this point we know the communication channels both to and from the anonymous pipe to cmd. You may need to recreate a wiring diagram or draw the apparatus in order to refer to it later during discussion. This is yet another benefit of us running this through the python script; however, the purpose still stands based on how the python script works.

Identifying Structures aka Structs Similar to arrays but can contain different element types. Question 3 How does the malware steal user credentials? So, the average is used in the denominator. Does it match any existing antivirus definitions? Also, due to the strong polar nature of salt molecules when dissolved, water may have a harder time sticking to each other, making adhesion possibly a stronger force than cohesion while in solution. Examining the reference to this function gives us the impression that the below formatted string will be written to the file msutil32. Question 1 What hard-coded elements are used in the initial beacon? Question 1 How can you get this malware to install itself? Analyse this using basic dynamic analysis tools. For example by looking at this binary using pestudio we can immediately see this picks up on some imports and strings that help lead us to believe it acts as a keylogger.

Make sure that these files are in the same directory when performing the analysis. To understand why we begin to dig further into the kernel driver. Analyze the malware found in file Lab14-03. By running the program with F9, we hit a breakpoint right before a jump at 0x407551 which looks to be our Tail Jump. On both the top and bottom jaws, there were two incisors, one canine, two premolars, and two molars. This matches the reference to milliseconds, in that there are 1000 milliseconds in a second.