This is a take-home exam. You may use resources on the Internet, e.g. MSDN and search engines, as needed.
The exam is due by 5pm next Monday, April 9. To turn in the exam for grading, send a text or PDF file to me, Charles Nicholas <nicholas@umbc.edu>
and cc the TAs Ben and RJ. Text or PDF only! Word files will not be accepted.
Each of the two problem should require no more than a three printed pages each to answer. However, I am not interested in simple yes or no answers. Instead, tell me the answer, and how you got there.
You are free to use any tools we've discussed in class, including IDA and the debugger of your choice.
If you have questions about the exam, you are free to contact me by email, cc to the graders as shown above.
The malware specimens are in this zipped file, midterm2018.7z. The password is "infected" without the quotes. Careful! Extract the two specimens to a virtual machine!
You will need to have a Windows VM and a Linux VM connected on an internal network in order to complete the midterm. You may use a debugger, VirusTotal, and/or any free online sandboxes during the midterm. However, it is possible to answer all of the questions without any of these tools.
The Practical Malware Analysis textbook is an excellent resource for the midterm. You can find useful information in the following chapters if you get stuck:
File 1: midterm2018q1.exe (Total 55 pts)
1) What is the SHA-256 hash of midterm2018q1.exe? (1 pt)
2) What evidence is there to suggest that the file midterm2018q1.exe is packed? (6 pts)
3) Identify the packer that midterm2018q1.exe was packed with and use it to unpack the file. What is the SHA-256 hash of the unpacked file? Describe how you identified the packer and unpacked midterm2018q1.exe. (10 pts)
4) List any interesting strings that you find in the unpacked file, as well as why you believe they are suspicious or important. Which of these strings are potential host-based and/or network-based malware indicators? (10 pts)
5) Connect your Windows and Linux virtual machines on an internal network, then run midterm2018q1.exe. If you get a popup from the firewall, make sure that the malware sample is unblocked. After you’ve run the malware, open the command prompt and run “netstat -abn”. What port is the malware listening on? (6 pts)
6) The malware sample starts a telnet server on the port you found in question 5. This allows the malware actor to gain remote access to the infected computer. While midterm2018q1.exe is running on your Windows VM, connect to it from your Linux VM via telnet:
telnet [ip address of your Windows VM] [port number from question 5]
For example, if the ip address of your Windows VM is 192.168.0.10 and the port number that you found in question 5 is 1234, you would run this command:
telnet 192.168.0.10 1234
Once you have successfully connected to the Windows VM via telnet, type “?” to list the different commands that the malware can execute. For your answer to this question, provide a screenshot of your Linux VM’s terminal with the list of commands. (10 pts)
6) When you run the “i” command on the malware’s telnet prompt, the malware will install itself and gain persistence. It does this by setting the value of the registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run using the Windows API function RegSetValueExA. What is the value of the registry key set to? Why does this give the malware persistence? Describe how you found the value of the registry key. (12 pts)
File 2: midterm2018q2.exe (Total 45 pts)
1) What is the SHA-256 of midterm2018q2.exe? (1 pt)
2) List ten of midterm2018q2.exe’s imports. Describe some of the functionality that the imports suggest the malware sample may be able to perform. (10 pts)
3) What type of C code construct is present in the subroutine sub_4018F2? Be specific. (4 pts)
4) The subroutine sub_4018F2 takes in a pointer to an obfuscated string as its first parameter and an integer as its second parameter. When the subroutine finishes, the string is deobfuscated. Explain in detail how sub_4018F2 deobfuscates the string. (15 pts)
5) The subroutine sub_40129C calls sub_4018F2 multiple times. The first time that sub_40129C calls sub_4018F2, it passes a pointer to the obfuscated string “ofqq10,gzg” as the first argument and the integer 2 as the second argument. What does sub_4018F2 deobfuscate “ofqq10,gzg” to? (5 pts)
6) Describe in detail what kind of malware you think midterm2018q2.exe is. Justify your answer with specific examples from the malware sample. (10 points).