SANS Digital Forensics and Incident Response Blog

SANS Digital Forensics and Incident Response Blog

Malware Analysis Challenge to Strengthen Your Skills

About a year ago I collaborated with the folks at Lake Missoula Group to create a malware-themed network forensics puzzle. That contest is now over; however, I would like to provide an opportunity to learn from the scenario defined in that puzzle to strengthen your malware analysis skills. If this sounds interesting, I suggest you proceed as follows:

  1. Read the scenario described in the original puzzle:Ms. Moneymany's Mysterious Malware.
  2. Obtain the PCAP file containing malicious artifacts from the original puzzle page linked above.
  3. Consider answering the 7 questions in the original puzzle to strengthen your network forensics skills
  4. Consider reviewing the winning and finalist answers to the original puzzle.
  5. Answer the 7 follow-up questions below.
  6. Post your solutions on-line and add a comment to this blog post with a link to it.
Important: The answers to this follow-up challenge will not be graded and there is no prize. This is simply an opportunity to strengthen your malware analysis skills and to help others learn from your experience. I will post the correct answers to the follow-up questions about a month after this blog post is published. Also, be careful when analyzing the malicious files referenced above: you will infect your system with real malware if you're not careful about handling them in an isolated malware lab.

The follow-up questions for this challenge are below. They refer to the malicious executable and other artifacts you need to first extract from the referenced PCAP file.

  1. When the malicious Windows executable runs on the infected system, it creates a hidden directory where it stores two files. What is the name of this directory?
  2. The malicious Windows executable creates a hidden registry key to make sure the executable runs whenever the victim reboots and logs into the Windows system. What is the full path of that registry key?
  3. The malicious webpage that the user's browser loaded used JavaScript obfuscation to protect some of its contents. The deobfuscated page included an "iframe" HTML element. What was the URL referenced by this "iframe"?
  4. One of the Java applets downloaded by the user's browser targeted a vulnerability in the Java Runtime Environment (JRE). What was the name of the file that directly implemented the exploit?
  5. The malicious Windows executable attempts to inject code into several processes. Which functions in WININET.dll does the executable hook to interfere with normal operations of the infected system?
  6. The malicious Windows executable attempts to delete files on the infected system. What file categories does the executable attempt to delete?
  7. What other interesting characteristics does the malicious Windows executable possess? This is a somewhat open-ended question. It is designed to help those who have answered the other questions to stand out.
When sharing your answers, please provide an explanation for how you arrived and the answers, so we can all learn from your approach.

If you're new to malware analysis, here are a few resources to help you get started:

Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.

4 Comments

Posted September 10, 2011 at 1:58 AM | Permalink | Reply

Tyler D

Unfortunately, my post took up too much space, so I am using pastebin for my answer which can be found here:
http://pastebin.com/wFX8wKdW

Posted September 15, 2011 at 1:33 AM | Permalink | Reply

Lenny Zeltser

Great job, Tyler! You answered all the questions correctly. Great job in explaining your observations without getting into too many details, but providing enough information that would probably allow another analyst to validate your findings. Striking this balance is hard, and I think you did this well. If you were presenting a report in a format that supported screen shots, then such screen shots would have been a powerful addition to the write-up.

-- Lenny

Posted September 23, 2011 at 6:32 AM | Permalink | Reply

MariaCristina

I tried the challenge just to test my skills, althought I knew it would be a hard job for me, because I use to analyse some others "easier" infections (programmatically speaking), as trojan Bankers. Although I was able to answer all the questions about pcap file, and also all the questions after the malware itself (except 4 and 5), and I'm very happy about this =), I want to let you know that I have learned a lot with the others answers I read.

Posted October 05, 2011 at 9:52 PM | Permalink | Reply

Paul

This is a great educational tool and I only wish there was more exercises like these available concentrating on malware forensics. In fact, I suppose pcaps from real incidents, transferred from a malware lab environment and factored into a series of forensics 'find out what happened' exercises would be low risk (for the student of course!) while really furthering malware analysts' understanding. Lake Missoula Group have done a great job over at forensicscontest.com and I'm so keen for this I'd be keen to help out personally as an amateur malware analyst, if only to validate others' findings on malware examples.

Post a Comment






Captcha

* Indicates a required field.