Assignment 3

1. Please define the obfuscation process in detail.

2. Using http://www.dependencywalker.com please explain the components involved within the .dll GetCurrentProcess.dll along with how the process works. Please provide a snapshot of your findings.

3. Answer the questions relating to Lab1-2:

Q: 1. Upload the Lab01-02.exe file to http://www.VirusTotal.com/ . Does it match any existing antivirus

definitions? 

Q: 2. Are there any indications that this file is packed or obfuscated? If so, what are these

indicators? If the file is packed, unpack it if possible. 

Q: 3. Do any imports hint at this programs functionality? If so, which imports are they

and what do they tell you? 

Q: 4. What host-or network-based indicators could be used to identify this malware on infected

machines? 

________________________________________

In this assignment, you will need to setup a virtualized environment. See the following:

https://www.osboxes.org

http://www.heaventools.com/download.html

https://www.fireeye.com/mandiant.html

https://www.wireshark.org/download.html

https://regshot.en.softonic.com

Please provide a complete writeup on how this malware could be installed on your machine. NOTE: You will need to disable any anti-virus protection as this contains live malware. It will not install onto your system. 

Analyze the malware found in the file Lab03-02.dll using basic dynamic

analysis tools. 

How can you get this malware to install itself?

How would you get this malware to run after installation? 

How can you find the process under which this malware is running?

Which filters could you set in order to use procmon to glean information? 

What are the malwares host-based indicators? 

Are there any useful network-based signatures for this malware? 

How could you prevent this type of malware from installing on your machine?

PLEASE COPY AND PASTE QUESTIONS IN DOCUMENT AND ANSER THEM ACCORDINGLY.