Scribd
Upload
2 views

Project Statement

The final project for CSEC202 involves a comprehensive malware analysis, requiring groups to conduct both static and dynamic analyses on an active malware sample. Deliverables include a detailed report formatted according to specific guidelines and a professional presentation summarizing the findings. Evaluation criteria focus on the depth of analysis, organization, and presentation skills, with penalties for late submissions and improper handling of malware samples.

Uploaded by

Wubrist Awlachew
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
2 views

Project Statement

The final project for CSEC202 involves a comprehensive malware analysis, requiring groups to conduct both static and dynamic analyses on an active malware sample. Deliverables include a detailed report formatted according to specific guidelines and a professional presentation summarizing the findings. Evaluation criteria focus on the depth of analysis, organization, and presentation skills, with penalties for late submissions and improper handling of malware samples.

Uploaded by

Wubrist Awlachew
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 17

CSEC202 Spring 2025

Final Project
Weight: 30%

Summary:
In this project, your group is expected to perform a complete malware analysis (static and dynamic) on an
active malware sample.

Activity:
This project is to be performed as a group.
All group members are expected to exert equal amount of effort.
The group is expected to perform the following:
1. Basic static analysis.
2. Basic Dynamic Analysis.
3. Advanced Dynamic Analysis.
4. Advanced Static Analysis.
5. Write a detailed report showing the findings and the steps followed to extract these findings.
6. Deliver an in-class presentation and answer questions related to the work done.

Deliverable 1: Report
 The report is expected to be formatted according to Springer LNCS formatting requirements, and
to be clear, concise and readable.
 The report is expected to have a minimum of 20 pages.
 The report is expected to contain the following sections:
o Cover page
o Table of contents
o Technical Summary (1 page)
o Basic Static Analysis
o Basic Dynamic Analysis
o Advanced Dynamic Analysis
o Advanced Static Analysis
o Conclusions
 Each of these sections should have detailed technical information with appropriate screenshots.
There is no minimum or maximum length requirements for each section.
CSEC202 Spring 2025

 You’re expected to use a variety of tools to perform this analysis including tools that were not
used in your previous homeworks.
 The evaluation of the report is based on the depth of the analysis. Following the steps followed in
the homeworks or mentioned in the course slides will be considered the bare minimum. The more
details your extract, the more tools you use, the more accurate your findings are, you’ll get a
higher grade. Following the same steps you followed in the homeworks will get you a passing
grade in the project. You’re expected to work beyond what you have learned so far to achieve
high grades.

Deliverable 2: Presentation
 Each group is expected to prepare a presentation document containing details of steps followed
and findings.
 The allocated presentation time for each group will be 20 minutes + 10 minutes for Q&A
 The presentation needs to be professional and well organized.
 All of the group members are expected to have equal “air time” during the presentation.

Requirements:
 Make sure that all of your screenshots include your group number and a timestamp.
 You’re free to use any tools you want to perform the required tasks. Part of this homework will
require the installation and use of additional VM(s).
 Download the sample into your analysis VM directly from the course repo on GitHub using the
following link:
https://github.com/Mo-Alani/csec202/tree/main/ProjectSamples
Password: project
 Make sure that you download the correct sample with your group number, and your specific
section number. Analyzing another group’s sample will result in a 0 in the project.
 The presentation schedule will be shared on MyCourses one week before the presentations.
 Missing the in-class presentation means that you’ll forfeit the presentation marks.
 Late submissions will be penalized by 10% deduction from the mark for up to three days.
Submissions later than three days will be graded as 0.
 Make sure you follow proper malware handling hygiene to prevent the sample from infecting
your computer.

Steps:
You’re expected to choose your steps.
CSEC202 Spring 2025

Packing/obfuscation:

Report Rubric:
Part Weight Poor Acceptable Good
Report 2 0 1 2
Organization Poor organization and Acceptable report Clear, and well-organized
formatting, and poor organization and report.
and Formatting language. formatting with room for Clear screenshots.
Unclear screenshots. improvement. Professional language.
Missing sections.
Technical 2 0 1 2
Summary Poor summarization of the Acceptable technical Well-written technical
findings with significant summary with a few summary with significant
omissions. missing points. findings explained.
Static Analysis 7 0 3.5 7
Incorrect steps/findings. Some errors in the Advanced analysis
Missing screenshots. methodology and/or performed beyond what
Incorrect tools used. findings. was taught in class.
Very shallow level of Partially correct steps Arrived at interesting
details. followed. findings.
Acceptable level of details Complete analysis using a
in the findings. variety of new tools.
No new tools or
techniques used.
Only following the
analysis steps mentioned
in class without innovation
or research.
Dynamic 7 0 3.5 7
Analysis Incorrect steps/findings. Some errors in the Advanced analysis
Missing screenshots. methodology and/or performed beyond what
Incorrect tools used. findings. was taught in class.
CSEC202 Spring 2025

Very shallow level of Partially correct steps Arrived at interesting


details. followed. findings.
Acceptable level of details Complete analysis using a
in the findings. variety of new tools.
No new tools or
techniques used.
Only following the
analysis steps mentioned
in class without innovation
or research.
Conclusions 2 0 1 2
Poor conclusions drawn Acceptable conclusions Well-written conclusions
from the analysis and summary with a few with appropriate thought
findings with significant missing points. process and concise
omissions. discussion of the findings.
CSEC202 Spring 2025

Presentation Rubric:
Part Weight Poor Acceptable Good
Presentation 2 0 1 2
Content Presentation content fails Acceptable presentation The presentation content is
to capture the work done. content with missing thorough and covers the
points. different areas of analysis
and findings.
Timing 1 0 0.5 1
Poor time management Acceptable time Very good time
management. management
Presentation 2 0 1 2
Skills Poor presentation skills. Acceptable presentation Very good presentation
Significant pauses. skills. skills.
No eye contact with the Acceptable eye contact Clear voice and good eye
audience. with the audience. contact.
Poor presentation tempo Acceptable presentation Very good control of the
tempo presentation speed.
Answers in Q&A 5 0 2.5 5
Did not answer any Partial answers Complete and correct
questions Partially correct answers answers to all questions.

Local
CSEC202 Spring 2025

halt_baddata() this function will stop the debugger or crashes disassmebly


1400040d6
Set BREk pointt before fun_140004210
(char *)(unaff_retaddr+(uvar3&0xf))
CSEC202 Spring 2025

Steps:
Step 1: Identify the file type: MZ(windows executable)

Step 2: Scan the file with a local anti-malware/anti-virus software.


CSEC202 Spring 2025

Step 3: What is the MD5 hash of the file: 84e8e8c726c33cf0526e75aae85c8bfc


What is the SHA-256 hash of the file:
a19a57aa10f51ece481b2bebebc5ac4bd01ace34adff7b1ae531e807c3aa739b
CSEC202 Spring 2025

Step 4: Search for the hashes obtained in Step 3

Step 5: Extract the strings from the file, and list 5 strings that you think are most informative.
CSEC202 Spring 2025

Step 6: Is the file packed? yes


If it is packed, what tool was used to pack the file? It is Custom packed
Add a screenshot showing the commands/tools used to get this information.
CSEC202 Spring 2025

Step 7: List the names of the sections that exist in the file.
.text, .rdata, .bnsn

Step 8: List the DLL files linked in this executable.


CSEC202 Spring 2025

Activity 1: Basic Dynamic Analysis

Step 3:
Setup fakenet on the FlareVM to direct all traffic to the Ubuntu VM.
CSEC202 Spring 2025

Step 4:
Setup the required tools to capture the following information:
1. Actions performed by the malware on files and registry. Which tool would you use?
____process monitor____
2. List all changes made to the windows registry. Which tool would you use? ____regshot____
3. Identify the process ID (pid) after running the malware. Which tool would you use?
___process explorer/process monitor_____

Step 5:
Start all the necessary tools, and run the malware.
 What is the PID of the malware? ____4304____
 Include a screenshot showing where you obtained this information
CSEC202 Spring 2025
CSEC202 Spring 2025

By analyzing the network information, answer the following questions:


CSEC202 Spring 2025

What protocol (if any) was used by the malware? HTTP, FTP
What source and destination port numbers were used by the malware? Source port __49710__
Destination Port ___80___
 Include one or more screenshots showing where you got the information of the previous two
questions.

Where you able to decipher the content of the network traffic sent out of the malware? no
What was the content of the traffic?
 Show the content in a screenshot.
CSEC202 Spring 2025

You might also like