CMSC 491/691 Malware Analysis

Fall 2013

Final Exam

Last revised: 3:30pm 10 December, 2013

CHECK BACK! in case any clarifications or other changes are made to these questions.

This is a take-home exam. You may use resources on the Internet, e.g. MSDN and search engines, as needed.

The exam is due by 5pm Tuesday, December 17. To turn in the exam for grading, send a text or pdf file to me <nicholas@umbc.edu> and
and cc our grader AJ (ahall1@umbc.edu). Each problem should require no more than two printed pages each to answer.

With the two zip files mentioned on this exam, the password is 'malware' without the quotes. You should assume that these files contain live malware specimens, so don't run them on your bare metal machine.

If you have questions about the exam, you are free to contact me by email, cc to AJ.

Problem 1 (26 pts total)

With respect to the files final1.exe and final1.dll, contained in the file 2013final1.7z

(2pts) What is the sha256 for the files?
(4pts) Are there any Host-Based or Network-Based Indicators in the program? What are they?
(6pts) How does this malware attain persistence, if it does?
(6pts) What commonly seen malware behavior is used to launch the included DLL?
(8pts) What does these programs do? Be sure to describe how the executable interacts with the DLL.

Problem 2 final2.exe (42pts total)

With respect to the file final2.exe, contained in the file 2013final2.7z

(2pts) What is the sha256 for the file?
(4pts) What suspicious Windows API calls does this program use?
(6pts) Are there any Host-Based or Network-Based Indicators in the program? What are they?
(4pts) How many subroutines, if any, write to a file? Where are those subroutines?
(8pts) If there is network activity, what protocol(s) and port(s) are used? Describe the network activity.
(6pts) How does this program attain persistence, if it does?
(12pts) What does this program do?
(4pts Extra Credit) What is the CVE Identifier number for the security exploit found in this sample?