Software Reverse Engineering Applied Reverse Engineering Analysis Warning: Read this document carefully and in its entirety before commencing work on this assessment Precautions There is always risk associated with handling malware, the following precautions must be taken when doing so. • Malware must be downloaded directly into the Remnux virtual machine provided • Malware must not be executed at any time unless within a contained debug environment • Malware must not be marked executable or renamed to an executable extension at any time • When transporting malware, it should always be contained within a password protected and encrypted zip file • Do not allow others to access malware samples provided to you Disclaimer By accessing the provided malware samples, you acknowledge the following: • University cannot be held liable for any adverse effects to any computer systems or for any loss or damage suffered as a result of malware samples or any other materials provided • The malware samples provided are live and unmodified, inappropriate handling could lead to infection of computer systems or other electronic devices • You accept all responsibility for any adverse effects to any computer systems or for any loss or damage suffered • Alternative assessment options are provided on request Assignment Brief This assignment requires that you demonstrate the practical use of the malware analysis techniques covered in this unit. PLEASE USE REMUX VIRTUAL MACHINE and appropriate tools(for example radare2 and others) Once you have completed the quiz and been granted access to malware samples, you should contact your lecturer or tutor and request your allocation of malware samples. You will be assigned five malware samples. Of the five allocated, you must select two to be used in your assessment. You are encouraged to conduct a brief preliminary analysis of all allocated samples to inform your selection of samples. If you do not feel that your allocated samples are adequate, or there are any problems, please contact your lecturer or tutor as soon as possible for another allocation. For each of the two selected malware samples, you must conduct an in-depth reverse engineering effort and write an analysis report. Your analysis report must be comprised of two major sections, the first is details of your findings as a result of analysis, and the second is a running sheet, documenting the steps and procedure undertaken to complete your analysis. In conducting your analysis, you must complete both static and dynamic reverse engineering efforts. Report Structure • Cover Page o Your name o Your student number o Unit code o Tutor name o Malware sample hash o Malware sample size • Part A: Findings o Executive summary o Identification of malware sample (if previously detected/named) o Details of packing or obfuscation o Details of architecture targeted by malware o Details of malware behavior  Network connections  System modification  Other actions undertaken o Detection rules* and explanation for these rules o Lessons learned during your analysis • Part B: Running sheet o Actions taken to conduct analysis o Results observed for each action *Note: There are specific requirements for detection rules: • Detection rules must be provided in the following format(s) o Yara o Snort o Suricata o Regex on mutex o Regex on AV detection o Regex on filesystem change o Regex on registry writes (set / create value) o Regex on URL/URI requests • Rules cannot be used in combination; each rule must be strong enough to stand on its own • You may use any of the rule types listed above in your report Marking Guide The assignment is worth a total of 30 marks, each report is worth 15 marks. The following table shows the marking guide for each report. Item Marks Part A Executive summary 1 Identification of sample 1 Details of packing/obfuscation 2 Details of architecture targeted by malware 1 Details of malware behavior 3 Detection and clean-up suggestions 1 Lessons learned 2 Part B Actions adequately logged 2 Logical flow present 1 Observations align with actions 1 Malware Samples A number of malware samples are available via Blackboard, in the same area as this assignment document. To access these samples, you must complete the malware handling quiz and score 100%. If you have any issues completing this quiz, or concern about handling malware samples, please contact your lecturer or tutor. ALL REFERENCES SHOULD BE ON APA STANDARD.