Assignment Task: File Triage
Analyze malware in a safe environment
Write-Up:
Problem 1) Section Names
Analyze the data in the sections_report.csv. Recall that in the PE format, the sections can be named anything but there are some normal naming conventions we'd expect to see most of the time. High entropy in data can mean it is highly random (e.g. encrypted) or contains a dense amount of information (e.g. machine code). Look through the sections report to identify unexpected section names that also have high entropy (e.g. > 6). Expected section names would be things like .text, .itext, .rsrc, .reloc.
Research the unexpected section names and provide a few sentences about what these sections names indicate and what that means for our analysis of those files if we need to go deeper.
Problem #2) Large Physical / Virtual Size Differences
Look for files in sections_report.csv that have a physical size of 0 bytes and a large virtual size (e.g. > 1000 bytes).
Part a) Which files do you see that have this characteristic? Are they in the malware, sysinternals, or windows directory? What does this characteristic likely indicate for malware analysis?
Part b) These files all have the same MD5 value for their section. Google this hash value, why do they all have the same MD5 for the data in the sections listed?
Problem 3) Imported Libraries and Functions Frequency
Part a) Looking at file_summary_report.csv, which files have the same number of imported libraries as the number of imported functions?
Part b) Provide the imphash of these files? Research the library and function names that those files share in common. What does it tell you
Problem 4) Imported Libraries and Function Capability
Part a) There are many libraries and functions in Appendix A in our Practical Malware Analysis book. How many files contain the function "peeknamedpipe"? Which files have this as an import?
Part b) Look the file(s) up on VirusTotal. Based on what this function allows a binary to do and based on the "Detection" results from VirusTotal, what is your best guess as to kind of malware this binary might be? In other words, what is the goal of this type of malware? Feel free to do additional online research and read about this function in Appendix A. Justify your answer.
Part c) What directory was this file(s) found in? Is it malware we already knew or is it something new we need to inform the Incident Handler about? Justify your position.
Part d) Looking a little deeper, what is the compile time for the file(s) and when looking at VirusTotal what is the "First Submission" date for this file. Do you trust the compile time? Why or why not?
Problem 5) Imported Libraries and Function Capability
Part a) There are two binaries that import exactly 4 functions. Which files are they and what are the four imported functions?
Part b) What other binaries do you see that import the same 4 functions?
Part c) Feel free to do some research on VirusTotal, but just looking at the file names and knowing the capability the four functions provide, which two file names make the least sense to import these functions and why?
All our professional File Triage Assignment Help tutors put every effort to provide you the most authentic, faultless and plagiarism free assignment paper every time.
Tags: File Triage Assignment Help, File Triage Homework Help, File Triage Coursework, File Triage Solved Assignments, Malware Assignment Help, Malware Homework Help
Attachment:- File Triage.rar