About a year ago I collaborated with the folks at Lake Missoula Group to create a malware-themed network forensics puzzle. That contest is now over; however, I would like to provide an opportunity to learn from the scenario defined in that puzzle to strengthen your malware analysis skills. If this sounds interesting, I suggest you proceed as follows:
- Read the scenario described in the original puzzle:Ms. Moneymany's Mysterious Malware.
- Obtain the PCAP file containing malicious artifacts from the original puzzle page linked above.
- Consider answering the 7 questions in the original puzzle to strengthen your network forensics skills
- Consider reviewing the winning and finalist answers to the original puzzle.
- Answer the 7 follow-up questions below.
- Post your solutions on-line and add a comment to this blog post with a link to it.
The follow-up questions for this challenge are below. They refer to the malicious executable and other artifacts you need to first extract from the referenced PCAP file.
- When the malicious Windows executable runs on the infected system, it creates a hidden directory where it stores two files. What is the name of this directory?
- The malicious Windows executable creates a hidden registry key to make sure the executable runs whenever the victim reboots and logs into the Windows system. What is the full path of that registry key?
- One of the Java applets downloaded by the user's browser targeted a vulnerability in the Java Runtime Environment (JRE). What was the name of the file that directly implemented the exploit?
- The malicious Windows executable attempts to inject code into several processes. Which functions in WININET.dll does the executable hook to interfere with normal operations of the infected system?
- The malicious Windows executable attempts to delete files on the infected system. What file categories does the executable attempt to delete?
- What other interesting characteristics does the malicious Windows executable possess? This is a somewhat open-ended question. It is designed to help those who have answered the other questions to stand out.
If you're new to malware analysis, here are a few resources to help you get started:
- Building a Malware Analysis Toolkit Using Free Tools
- Using VMware for Malware Analysis
- Introduction to Malware Analysis Webcast