CS6035 Projects 3- Malware Analysis Solution

Projects / Malware Analysis / Extra Credit
Extra Credit (TBD points):
Analyze your malware samples (TBD points)
You will investigate and label some of the more sophisticated malware behaviors from the three malware reports we provided. These files are located in the /home/malware/phase1/extra_credit directory. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. For this extra credit portion of the project, do not assume that every behavior is exhibited. It’s your job to determine if that assumption is actually true.
Clarification for attempted: We mean by “attempted” that a specific action was attempted but failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key, for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to change the key, that is an attempt for our purposes. But if you have a more generic registry key that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the action would not count as an “attempt”.
You will encounter that the same API functions can end with either a W or an A. This is a standard practice in the Windows API, and this document explains the difference (either one could in theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-thewindows-api
For each of the following questions, mark (true/false) which of the malware exhibit the identified behavior:
1 Attempts to get victim to disable security protections
2 Microsoft Office key deletion
3 Microsoft Excel key creation
4 Creates registry values (any)
5 Drops RegAsm virus
6 Issues signal to cause immediate program termination
7 Malicious file most likely programmed in C or C++
8 Detects the Mirai botnet
9 Keylogger attempt
10 Attempts to copy clipboard
11 Hooks registry keys/values to protect autostart
12 Possible PFW / HIPS evasion
13 Uses the Windows core system file splwow64.exe
14 Drops a portable executable file into C:Windows a. The term “drop” in the behavior “Drops file(s)” means to create (or attempt to create) files, not to delete files. b. We are just looking for dropped files for this behavior.
15 Looks for the name or serial number of a device
16 Attempts to obscure the meaning of data as an added layer of data
17 HTTP GET or POST without a user agent
18 Uses loops or otherwise needless repetitions of commands, such as Pings, used to delay malware execution and potentially exceed time thresholds of automated analysis environments.
19 Attempts to override the domain name system (DNS) for a domain on a specific machine.
20 Possible system shutdown
DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.
Download the ec submission template or use the JSON format below for your answers:
{
"sample1": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": ,
"behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20":
},
"sample2": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": ,
"behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20":
},
"sample3": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": ,
"behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20":
}
}
The submitted answers should be in the format (this is an example only):
{
"sample1": {
"behavior01": true,
"behavior02": false,
"behavior03": true, "behavior04": true, .
.
.
}
The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). Incorrectly formatted JSON files or typos count as a submission if the submission attempt fails. We have provided a validation script named “json_validator.py” which will check your file for proper formatting. To run the validator on your file, use the following command: “python json_validator.py /path/to/solution.json” at the command line in the /home/malware directory. The validator will either return “JSON file correctly formatted.” if the submission file is correct, or will return the errors found. It is not required to use the validation script, although it is highly recommend to prevent erroneous submissions. We will not provide extra submission attempts. This validation script works only for Phase 1 and the Extra Credit portions of the project.
Malware Analysis - Phase I
Points 50
Submitting an external tool
Available Mar 8 at 7pm - Mar 16 at 11:59pm
Malware Analysis Phase I

The assignment documentation and instructions are at the following link:
(https://docs.google.com/document/d/167jVVmkyXJ0NqzsY1bPDqZL6-I1XLdZTqatncT1kr4M/edit?
usp=sharing) https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/
(https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/)

You will be using the same VM you have been using from the earlier projects. If you need to download it again:
Link: https://cs6035.s3.us-east-1.amazonaws.com/CS6035-Spring-2025-RC-03.ova
(https://cs6035.s3.us-east-1.amazonaws.com/CS6035-Spring-2025-RC-03.ova)
(https://cs6035.s3.amazonaws.com/CS6035-Spring2024-rc3.ova)
(https://cs6035.s3.amazonaws.com/CS6035-Spring2024-rc3.ova)
69F7313E643601262229A13E4A0E0AABD57F5B92413B308E1D7F1154D41D0CFC
(https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/)
VM Username: malware
VM Password: Pdp8_1965
Download the VM early in case you run into slow downloads.

(https://github.gatech.edu/pages/cs6035-tools/cs6035-tools.github.io/) You need to complete one module for Phase I (50 points in total):
The module for Phase I contains twenty multiple choice questions, with five choices (malware 1 through malware 5) per question. For each question, mark which of the malware samples exhibit the specified behavior. Each question is worth 2.5 points total (0.5 per malware).

CS 6035

Projects / Malware Analysis
Malware Analysis
The goals of this project:
• Familiarize you with the types of behaviors that can be displayed by real-world malware samples and how to safely analyze these behaviors using JoeSandboxCloud (https://www.joesandbox.com/).
• Joe Sandbox detects and analyzes potential malicious files and URLs on Windows, Android, Mac OS, Linux, and iOS for suspicious activities. It performs deep malware analysis and generates comprehensive and detailed analysis reports.
• Introduce fundamental concepts of malware analysis through hands-on exercises.
• Work with safe, non-malicious samples to explore static and dynamic analysis techniques.
• Practice de-obfuscating and executing provided samples to better understand their functionality.
• Call endpoints with the correct data to obtain flags.
Additional information:
• All phases of this project will be submitted in Gradescope.
• Minimum RAM required for this project is 4 GB RAM for the VM, 8GB RAM on your host.
• We offer a Frequently Asked Questions (F.A.Q.)
• The F.A.Q thread will be constantly updated. Therefore, BEFORE ASKING ANYTHING, make sure to review the entire F.A.Q. If your question is not covered already, feel free to post it in Ed Discussion F.A.Q. thread for the Malware Analysis project.
Accessing project resources:
Setup (0 points)
1 Download the project VM at the link provided in the Canvas Malware Analysis Assignment pages (the link for the file is in both pages - you only need to the file once).
2 Students need a x86 (Intel) machine to properly run the project virtual machine (please see the Ed Discussion post regarding VM Troubleshooting new link to Ed if you have any issues regarding your virtual machine).
4 Log in to the newly imported VM using these credentials:
• See Canvas for username and password.
5 Run the following command in the Terminal on the VM:
• ./StartContainer.sh
6 You will now have the project files for Phase 1 and Phase 2 loaded into the following directories.
When you begin each phase, make sure to change directories for each part of the project.
• Phase 1 reports are located in /home/malware/phase1
• Phase 2 files are located in /home/malware/phase2
• Extra Credit files are located in /home/malware/phase1/extra_credit
TABLE OF CONTENTS
• FAQ
• Extra Credit
• Phase 1
• Phase 2
CS 6035

Projects / Malware Analysis / Phase 1
Phase 1 (50 points):
Analyze your malware samples (50 points)
You will investigate and label some of the more sophisticated malware behaviors from the five malware reports we provided. Use the included JoeSandbox reports to identify the malware’s behavior. Note that malware samples can share behaviors. So initially you should assume that each malware we question you about below has every behavior listed. It’s your job to determine if that assumption is actually true.
Clarification for attempted: We mean by “attempted” that a specific action was attempted but failed. By “specific” we mean that it is clear which action is attempted. If you have a registry key, for instance, that is unambiguous (like, say, it is used only to set a startup option), but it fails to change the key, that is an attempt for our purposes. But if you have a more generic registry key that governs multiple settings, we don’t know for sure which key or keys it is attacking and so the action would not count as an “attempt”.
You will encounter that the same API functions can end with either a W or an A. This is a standard practice in the Windows API, and this document explains the difference (either one could in theory be present in the wild): https://docs.microsoft.com/en-us/windows/desktop/intl/unicode-in-thewindows-api
For each of the following questions, mark (true/false) which of the malware exhibit the identified behavior:
1 Attempts to get victim to disable security protections
2 Microsoft Office key deletion
3 Microsoft Excel key creation
4 Creates registry values (any)
5 Drops RegAsm virus
6 Issues signal to cause immediate program termination
7 Malicious file most likely programmed in C or C++
8 Detects the Mirai botnet
9 Keylogger attempt
10 Attempts to copy clipboard
11 Hooks registry keys/values to protect autostart
12 Possible PFW / HIPS evasion
13 Uses the Windows core system file splwow64.exe
14 Drops a portable executable file into C:Windows a. The term “drop” in the behavior “Drops file(s)” means to create (or attempt to create) files, not to delete files. b. We are just looking for dropped files for this behavior.
15 Looks for the name or serial number of a device
16 Attempts to obscure the meaning of data as an added layer of data
17 HTTP GET or POST without a user agent
18 Uses loops or otherwise needless repetitions of commands, such as Pings, used to delay malware execution and potentially exceed time thresholds of automated analysis environments.
19 Attempts to override the domain name system (DNS) for a domain on a specific machine.
20 Possible system shutdown
DELIVERABLE: Your deliverable for this part of the assignment will be your final JSON file with your answers to the 20 questions.
Download the submission template or use the JSON format below for your answers:
{
"sample1": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": ,
"behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20":
},
"sample2": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": ,
"behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20":
},
"sample3": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": ,
"behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20":
},
"sample4": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": , "behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20":
},
"sample5": {
"behavior01": ,
"behavior02": ,
"behavior03": ,
"behavior04": ,
"behavior05": ,
"behavior06": ,
"behavior07": ,
"behavior08": ,
"behavior09": ,
"behavior10": ,
"behavior11": ,
"behavior12": ,
"behavior13": ,
"behavior14": ,
"behavior15": ,
"behavior16": ,
"behavior17": ,
"behavior18": ,
"behavior19": , "behavior20": }
}
The submitted answers should be in the format (this is an example only):
{
"sample1": {
"behavior01": true,
"behavior02": false,
"behavior03": true, "behavior04": true, .
.
.
}
The naming of the submission file is not important, as long as it is JSON (“submission.json” is an example). Incorrectly formatted JSON files or typos count as a submission if the submission attempt fails. We have provided a validation script named “json_validator.py” which will check your file for proper formatting. To run the validator on your file, use the following command: “python json_validator.py /path/to/solution.json” at the command line in the /home/malware directory. The validator will either return “JSON file correctly formatted.” if the submission file is correct, or will return the errors found. It is not required to use the validation script, although it is highly recommend to prevent erroneous submissions. We will not provide extra submission attempts. This validation script works only for Phase 1 and the Extra Credit portions of the project.
CS 6035

Projects / Malware Analysis / Phase 2
Phase 2 (50 points)
Overview
For this phase, we will be going over some of the basic concepts of malware analysis. None of the samples or scripts provided here are actually malicious, but they are provided as a way to understand the basic concepts of static and dynamic analysis.
To do so, we will work with the samples by de-obfuscating and executing various samples as needed to understand how the samples function. The overall goal of each task will be to run the program or call the correct endpoint with the correct data to get your flag to send to the autograder.
NOTE:
Warm Up
Warm up exercise #1 (5%)
We saw this sample come in earlier. It performs some simple encoding to execute the command. It looks like it spits out a flag, but we aren’t totally sure.
Can you figure out how to get your flag?
base64 -d <<< IyEgL3Vzci9iaW4vc2gKYTEoKXsKICBlY2hvICJPaCBsb29rLCB0aGlzIGlzIGRlZmluaXRlbHkgYSBmbGFnOiAkKGVj

Warm up exercise #2 (5%)
Great job on the last one. This one is a little less straightforward though. The attacker left this long string behind. We think that they were trying to pack something in this string by compressing it, but we aren’t sure what.
Can you figure out what is going on here?
Hints:
• There are ways you can check what kind of file you are looking at
• Keep peeling the onion
• Scripting is your friend
N3q8ryccAASoqGIr+RMAAAAAAAAVAAAAAAAAAH2lL03gE50TlF0AKBK8YCl3X7OgZocDYaJosK2umXg2E4a5Nb0ICtCLgteu5MrmbJIpgu

Warm up exercise #3 (5%)
One more to go! This long string of text was left in another file on the system. Can you figure out what is going on?

Sample Analysis
These samples are set up to roughly approximate some Command and Control (C2) traffic between the client samples and the server we will run. To perform this analysis, you will start the server container, and then you will execute the client scripts to see what actions they perform.
Additionally, you will need to craft your own requests to send to the C2 server to get your flag. You are welcome to do this using cURL, python, or whatever other HTTP request program you like to use. To get your flag, you will need to send a request to the correct endpoint followed by your GTID.
Example provided below: http://localhost:8085/path/to/endpoint/9999999999
Once you analyze the samples and submit a successful request to get your flag, you’ll receive a JSON message that looks something like the following:
{
"flag": "Now that's a flag: <your flag value will be here>"
}
Sample #0 (10%)
This is a simple example to get started and make sure that you have all of your pieces set up correctly to capture the traffic between the client and server.
1 Start the server
2 Start Wireshark to listen for network traffic
3 Run the client-0 sample
4 Figure out how to get your flag
Sample #1 (10%)
In this sample, the initial client-1 program acts as the first stage of the malware sample. Your goal is as follows:
1 Execute the client-1 sample
2 Review the network calls
3 Identify and analyze the second stage
4 Figure out how to get your flag
Sample #2 (15%)
In this sample, the client-2 program makes a couple of calls and performs some familiar obfuscation techniques. Perform the following steps:
1 Execute the client-2 sample
2 Review the network calls
3 Identify and analyze the obfuscation technique
4 Figure out how to get your flag
Submission Details
Submit your flags in GradeScope as a json file named ‘phase2.json’ with the following format:
{
"warmup1": "replace_the_placeholder_flag",
"warmup2": "replace_the_placeholder_flag",
"warmup3": "replace_the_placeholder_flag",
"client0": "replace_the_placeholder_flag",
"client1": "replace_the_placeholder_flag",
"client2": "replace_the_placeholder_flag"
}
You can also use the provided template file to build your submission.