Malware Analysis Lab 7: Advance Dynamic Analysis1

Malware Analysis Lab 7: Advance Dynamic Analysis1
How one can be graded
Create Lab Report with the screenshots and analysis for each of the exercises underneath. For each practice it’s a must to reply the following questions:
1. For this analysis, what forensic Malware Analysis Type, forensic method and energy did you utilize?
2. Why do you perform this analysis?
three. What was your findings and your analysis of research?
Title the lab report file ‘Lastname_MAL7 Lab Report’ and submit it in Blackboard venture Malware Analysis Lab 7
Prepare background
• Malware Analysis Technique Class: Superior Dynamic Analysis
• Forensic Software program: OllyDbg
• Forensic Software program Vendor Site: https://www.assignmentessaypage.com/write-my-essay/ollydbg.de/
• Forensic Software program Description: OllyDbg is a 32-bit assembler stage analyzing debugger for Microsoft® Dwelling home windows®. Emphasis on binary code analysis makes it notably useful in circumstances the place provide is unavailable.2
Lab Configuration Requirements
• VM: ‘Win2008-DC’ VM3
Phrase: The VM have to be accessible in VMWare Workstation. If not, go to the file location underneath and observe the part of the instructions titled ‘Setup ‘Win2008-DC’ VM2. Open ‘Win2008-DC’ VM in VMWare Workstation’
File Location:ITN277LabFiles.isoLabSetupInstructionsITN277 Preliminary Lab Setup.pdf
• ISO: ITN27xLabFiles.iso4
• Forensic Software program Location: ‘Win2008-DC’ VM – C:ProgramDataMicrosoftWindowsStart MenuProgramsOLLYDBG.BAT
Phrase: Forensic Software program have to be preloaded inside the VM. If not, run the following setup file inside the VM
ITN27xLabFiles.isoForensicToolsOLLYDBGOLLYDBG_Setup.bat
• Malware Lab Info:
Lab 1: Smart Malware Analysis LabsBinaryCollectionChapter_9LLab09-01.exe
Lab 2: Smart Malware Analysis LabsBinaryCollectionChapter_9LLab09-01.exe
Phrase: Lab data have to be positioned on the desktop of the VM, if not they’re positioned in
ITN27xLabFiles.isoCaution_FilesContainMalwarePracticalMalwareAnalysis-Labs.7z
To mount the ISO to the VM observe these instructions
a. In VMWare Workstation, right-click on VM and click on on on properties
b. Double click on on on CDDVD (IDE)
c. Select ‘Use ISO Image File’ and degree it to the D:YourNameLabSetupFilesITN27xLabFiles.iso
1 Lab Provide: https://samsclass.data/126/proj/p11-lab09-01.htm
2 Software program Provide: https://www.assignmentessaypage.com/write-my-essay/ollydbg.de/
three VM Provide: https://drive.google.com/file/d/0B9d0eQ6GRR2jTXpOZ2lZbDFvdUk/view
4 ISO will likely be downloaded from: Blackboard ITN277 CourseCourse Paperwork
d. Make certain that the ‘Associated’ subject is checked
Prepare 1. Discovering the Principal Entry Stage
• Click on on Start, inside the search subject type ‘OllyDbg’ and click on on on ‘OllyDbg.bat’
• Open the Lab09-01.exe file in IDA Skilled.
• Click on on Selections, Regular. Look at “Line Prefixes”, as confirmed underneath.
• Click on on OK.
• Click on on Dwelling home windows, “Reset Desktop”.
• IDA Skilled reveals that predominant begins at 0x402AF0, as confirmed underneath:
Saving the Show Image
• Be sure you can see the 0x402AF0 deal with, as confirmed above.
• In your keyboard, press the PrntScrn key.
• Click on on Start, type in PAINT, and open Paint.
• Press Ctrl+V to stay inside the image of your desktop.
Save a full-desktop image with the filename “PMAL7_E1_YOUR NAME”.
Prepare 2. Using OllyDbg to Stroll By way of Shortly
• Click on on Start, inside the search subject type ‘OllyDbg’ and click on on on ‘OllyDbg.bat’
• Open Lab09-01.exe in OllyDbg.
• You start at a preamble, which comes sooner than the entry degree you seen in IDA Skilled, as confirmed underneath.
• Press F8 forty events, to step over until deal with 0x403933. Inside the larger left pane of OllyDbg, scroll down a few traces to point the code that items the arguments and calls predominant, as highlighted underneath.
• Press F7 5 events to load parameters and title predominant from 0x403945, displaying a model new a part of code starting at 0x402AF0, as confirmed underneath.
• Press F7 twenty-one events to call a quick subroutine and get to 0x402AFD, as confirmed underneath.
• This CMP operation is testing to see if the number of command-line arguments is 1.
• Press F7 three occasions to cross the check out and bounce to 0x00401000, as confirmed underneath.
• Now we’re inside the routine starting at 0x401000.
• It calls RegOpenKeyExA at 0x40101B.
• Left-click the street starting with 0x401021 and press F2 to put a breakpoint there. That deal with turns purple, as confirmed underneath.
• Left-click the street starting with 0x401000. Press F9 to run to the breakpoint.
• Take a look on the larger correct to see the registers. EAX now contains 2, as confirmed underneath.
• It’s a “non-zero error code”, as outlined proper right here:
http://msdn.microsoft.com/en-us/library/dwelling home windows/desktop/ms724897(v=vs.85).aspx
• Which suggests the check out failed–it did not uncover the registry key it was looking out for.
• Press F7 three occasions to get to location 0x401027.
• Press F7 to execute the JMP.
• Press F7 three occasions to step by way of the subroutine and get to 0x402B08.
• Press F7 three occasions to get to location 0x402410, as confirmed underneath:
• This function makes use of GetModuleFilename to get the path to the current executable and builds the ASCII string
/c del path-to-executable >> NUL
• To see that, place a breakpoint merely after GetShortPathNameA, so its deal with turns purple, as confirmed underneath.
• Click on on the street starting with 0x402410 to give attention to it.
• Press F9 to run to the breakpoint.
• You could now be on the road ending with “ASCII “/c del “, as confirmed underneath.
• By holding F7 down or tapping it many events, you might play the code forward like a movie in gradual motion.
• Watch as a result of the code slowly steps by way of a protracted path determine in EDI. Then the path determine flips shortly by way of a variety of registers, ending up in EDX.
• Stop whilst you see a string in EDX, starting with
ASCII “/c del C:
as confirmed underneath:
Troubleshooting
Should you occur to press F7 too many events, EDX empties. To return so far it’s a must to do these steps:
• From the Ollydbg menu bar, click on on Debug, Restart
• Click on on Positive
• Press F9 to run to the breakpoint at 0x401021
• Press F9 to run to the breakpoint at 0x402449
• Preserve down or faucet F7 a variety of dozen events to get to the desired degree
Saving the Show Image
• Be sure you can see the EDX register with a value starting with ASCII “/c del C: as confirmed above.
• In your keyboard, press the PrntScrn key.
• Click on on Start, type in PAINT, and open Paint.
• Press Ctrl+V to stay inside the image of your desktop.
Save a full-desktop image with the filename ” PMAL7_E2_YOUR NAME”.