About a year ago I collaborated with the folks at Lake Missoula Group to create a malware-themed network forensics puzzle. That contest is now over; however, I would like to provide an opportunity to learn from the scenario defined in that puzzle to strengthen your malware analysis skills. If this sounds interesting, I suggest you proceed as follows:
- Read the scenario described in the original puzzle: Ms. Moneymany's Mysterious Malware.
- Obtain the PCAP file containing malicious artifacts from the original puzzle page linked above.
- Consider answering the 7 questions in the original puzzle to strengthen your network forensics skills
- Consider reviewing the winning and finalist answers to the original puzzle.
- Answer the 7 follow-up questions below.
- Post your solutions on-line and add a comment to this blog post with a link to it.
Important: The answers to this follow-up challenge will not be graded and there is no prize. This is simply an opportunity to strengthen your malware analysis skills and to help others learn from your experience. I will post the correct answers to the follow-up questions about a month after this blog post is published. Also, be careful when analyzing the malicious files referenced above: you will infect your system with real malware if you're not careful about handling them in an isolated malware lab.
The follow-up questions for this challenge are below. They refer to the malicious executable and other artifacts you need to first extract from the referenced PCAP file.
- When the malicious Windows executable runs on the infected system, it creates a hidden directory where it stores two files. What is the name of this directory?
- The malicious Windows executable creates a hidden registry key to make sure the executable runs whenever the victim reboots and logs into the Windows system. What is the full path of that registry key?
- The malicious webpage that the user's browser loaded used JavaScript obfuscation to protect some of its contents. The deobfuscated page included an "iframe" HTML element. What was the URL referenced by this "iframe"?
- One of the Java applets downloaded by the user's browser targeted a vulnerability in the Java Runtime Environment (JRE). What was the name of the file that directly implemented the exploit?
- The malicious Windows executable attempts to inject code into several processes. Which functions in WININET.dll does the executable hook to interfere with normal operations of the infected system?
- The malicious Windows executable attempts to delete files on the infected system. What file categories does the executable attempt to delete?
- What other interesting characteristics does the malicious Windows executable possess? This is a somewhat open-ended question. It is designed to help those who have answered the other questions to stand out.
When sharing your answers, please provide an explanation for how you arrived and the answers, so we can all learn from your approach.
If you're new to malware analysis, here are a few resources to help you get started:
- Building a Malware Analysis Toolkit Using Free Tools
- Using VMware for Malware Analysis
- Introduction to Malware Analysis Webcast
Lenny Zeltser focuses on safeguarding customers' IT operations at NCR Corp. He also teaches how to analyze malware at SANS Institute. Lenny is active on Twitter and writes a security blog.