1. Please define the obfuscation process in detail.
2. Using http://www.dependencywalker.com please explain the components involved within the .dll GetCurrentProcess.dll along with how the process works. Please provide a snapshot of your findings.
3. Answer the questions relating to Lab1-2:
Q: 1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/ . Does it match any existing antivirus
definitions?
Q: 2. Are there any indications that this file is packed or obfuscated? If so, what are these
indicators? If the file is packed, unpack it if possible.
Q: 3. Do any imports hint at this programs functionality? If so, which imports are they
and what do they tell you?
Q: 4. What host-or network-based indicators could be used to identify this malware on infected
machines?
________________________________________
In this assignment, you will need to setup a virtualized environment. See the following:
https://www.osboxes.org
http://www.heaventools.com/download.html
https://www.fireeye.com/mandiant.html
https://www.wireshark.org/download.html
https://regshot.en.softonic.com
Please provide a complete writeup on how this malware could be installed on your machine. NOTE: You will need to disable any anti-virus protection as this contains live malware. It will not install onto your system.
Analyze the malware found in the file Lab03-02.dll using basic dynamic
analysis tools.
How can you get this malware to install itself?
How would you get this malware to run after installation?
How can you find the process under which this malware is running?
Which filters could you set in order to use procmon to glean information?
What are the malwares host-based indicators?
Are there any useful network-based signatures for this malware?
How could you prevent this type of malware from installing on your machine?
PLEASE COPY AND PASTE QUESTIONS IN DOCUMENT AND ANSER THEM ACCORDINGLY.
