Below the expert must be able to use python and assembly language. They will have to be able to calculate PE file headers and use HIEW. It is a malware analysis lab. Below are two file documents......

Below the expert must be able to use python and assembly language. They will have to be able to calculate PE file headers and use HIEW. It is a malware analysis lab. Below are two file documents... one is labelled "lab2-malware" which has the questions needed to be answered there. The second file is a more in depth version of the question document on showing bits and pieces how to answer. I will also attach the relative share point, upon getting and expert. which has the relative programs and files needed to complete the lab.




Lab 2: Windows PE Files ITSC 303: Malware Analysis EVALUATION: Question 1 5pts Question 2 4pts Question 3.1 5pts Question 3.2 3pts Question 3.3 5pts Question 4.1 16pts Question 4.2 6pts Question 4.3 6pts TOTAL MARK 50pts 1.0 Working with SHA-256 Hashes 1.1Calculating SHA-256 Using sha256sum.exe Questions: 1. Calculate the sha-256 hash using the sha256sum.exe program? (1pt) 1.2Calculating SHA-256 Using Python Questions: 1. Calculate the sha-256 hash using the sha256sum.py script? (1pt) Note: A skeleton script for this section is provided in sha256sum.py. 1.3Calculating SHA-256 Using Sysinternals Questions: 1. Calculate the sha-256 hash using the Powershell cmdlet Get-FileHash? (1pt) 2. What other algorithms are available if using the Get-FileHash cmdlet? (1pt) 1.4Other programs to calculate Hashes Questions: 1. List 3 GUI programs that can calculate and display multiple hash types (MD5, SHA256, SHA384) for a file? (1pt) 2.0 Working with Unknown Files 2.1Classifying and Uniquely Identifying Files Questions and tasks: Complete the skeleton python script, week_2_sec_2_1.py, that will: (4pts) 1. Create directories for each file type and copy each file into its correct directory. 2. Rename each file to the format .bin. For example, if you determine that test_file.dat is a PNG file: a) Create a directory called png_samples. b) Calculate the SHA-256 hash of test_file.dat. c) Copy test_file.dat to the png_samples directory and rename test_file.dat to .bin. 3. Submit your completed script and screenshot(s) showing the tree command before and after execution. Notes: · A number of files have been provided in the orig_samples directory, but many of the files have misleading or missing file extensions. · To perform this task, use the information in Table 1. 3.0 Working with PE Files 3.1 Further Classifying PE Files Questions and tasks: Complete the skeleton python script, week_2_sec_3_1.py, that will: (5pts) 1. Further classify the files, sorted in question 2, into the categories listed in Table 2. Note: A skeleton script for this section is provided in week_2_sec_3_1.py. 2. Using the information provided in the lab document, classify the files in the mz_samples directory completing the following tasks: a. Read each file into memory. b. Read the little endian DWORD value from offset 0x3c to determine the offset of the PE header. c. Ensure the PE header offset contains PE\x00\x00. d. Read the value of the WORD Machine from the PE header to determine whether the file is x86 or x64. e. Read the value of the WORD Characteristics from the PE header to determine whether the file is a DLL (bitwise and the Characteristics value with the bitmask 0x2000). A non-zero value indicates that the file is a DLL. f. Once a classification has been made, move the file from the mz_samples directory to the appropriate directory defined in Table 2. 3. Submit the completed python files and show a table with the classification of all the files in the mz_samples directory. 3.2 Classifying PE Files with pefile Questions and tasks: Complete the skeleton python script, week_2_sec_3_2.py, that will: (3pts) · Further classify the files, sorted in question 2, into the categories listed in Table 2. Note: A skeleton script for this section is provided in week_2_sec_3_2.py. The script makes use of the Python library pefile and is more efficient and accurate. Use the pefile module to further classify PE files by copying signed files in the signed_samples directory. Note: A skeleton script for this section is provided in week_2_sec_3_2.py. · You can determine whether a file is signed by looking at the directory table of the PE header. The Python classifier should take one command line argument specifying the directory to check. a. Run the classifier four times: once against each PE directory. > python week_2_sec_3_1.py exe_x86_samples/ > python week_2_sec_3_1.py exe_x64_samples/ > python week_2_sec_3_1.py dll_x86_samples/ > python week_2_sec_3_1.py dll_x64_samples/ · Submit your completed code and screen shots showing the results of executing the python script. 3.3 Viewing PE Signature Data The files in the signed_samples directory have data in the Security directory of the PE header, indicating that they are signed. But are the signatures valid? Use the Sysinternals tool sigcheck.exe to check files’ PE signatures. Questions and tasks: 1. Run sigcheck.exe on the signed_samples directory and show screen of the execution: (1pt) sigcheck.exe signed_samples\* 2. The sigcheck.exe utility reports two anomalies with the file. Of the two issues, which do you consider more serious? (1pt) 3. Who is the signer of this sample? (1pt) 4. Who is the Certificate Authority at the top of the certificate chain? (1pt) Hint: Find certificate information by right-clicking the file in Windows Explorer and selecting Properties. 5. What could have caused this to happen to the certificate? (1pt) 4.0 Examining a Malware Sample 4.1 Viewing Strings Questions and tasks: 1. Run strings.exe on the file exe_x86_samples\9222bca9e7b00c8918c4ac6fb415c77239e88dc296269273056372d5034b0daf.bin and then redirect the output to a text file to view the string data in Notepad. 1. Do the strings indicate a Win32 API function may be imported that could launch additional programs or malware? If yes, list the API function name (or names). (2pts) 2. Malware often manipulates the Windows registry to gain persistence in the system or make other changes. Are there any Win32 API function names listed related to manipulating the registry? If yes, list the API function name (or names). (2pts) 3. Are there any strings that appear to be paths in the registry? If yes, list the paths and what they could be used for. (2pts) 4. Malware often communicates with its command and control servers over the Internet. Are there any Win32 API function names listed related to communicating over the Internet? If yes, list the API function name (or names). (2pts) 5. Are there any URLs in the sample? If yes, list the URL (or URLs). (2pts) 6. List at least three interesting strings you haven’t mentioned above. Don’t include strings that are related to Win32 APIs. Briefly describe what each string could be used for. (3pts) a) String 1: b) String 2: c) String 3: 7. Sometimes strings are obfuscated to hide the intention of the malware, to demonstrate this, run strings.exe again on the file exe_x86_samples\b7d400c1bdd73acfc0f9ce1f8c0bc657b5d806da6e32cfa54d746f4ece82c280.bin. (1 pt) > strings.exe -q exe_x86_samples\b7d400c1bdd73acfc0f9ce1f8c0bc657b5d806da6e32cfa54d746f4ece82c280.bin > b7d_strings.txt 8. Open the file b7d_strings.txt in Notepad and look at the extracted strings. What differences do you notice about the strings in this PE file compared to the last one? Based on the extracted strings, do you think this PE file can communicate with the Internet or manipulate the registry? (1pt) 9. What do you think the malware author did to this PE file? (1pt) 4.2 Using Hiew Questions and tasks: Use the lab document to open Hiew and the Far Manager. Answer the questions after following the instructions: 1. Notice that when you select the Import directory, Hiew takes you to address 0x0041c000. How is this address calculated? (1pt) 2. Complete the following equation and briefly explain where each term came from. (1pt) __________________ + __________________ = 0x0041c000 3. What section would you expect executable code to be located at? (1pt) 4. What is interesting about the address of the .text section and the address of the entry point? (1pt) 5. Now that you have viewed both the disassembled code at the entry point and the Import directory, in your estimation does this PE file appear to be packed? (1pt) 6. Is the byte sequence 50 45 00 00 found? (1pt) a. If yes, does it appear to be another PE header? b. If it looks like a second PE header is in the file, where in the file is it, (give offset and/or section name)? 4.3 Using Resource Hacker Questions and tasks: Use Resource Hacker, navigate to and open the file 9222bca9e7b00c8918c4ac6fb415c77239e88dc296269273056372d5034b 0daf.bin. 3. Manually look at all the resource tree nodes. What did you find? Did you notice anything suspicious, such as other files or high entropy data? (2pts) 4. Using Resource Hacker, open the file exe_x86_samples\943a7838f3eccc0984219642f533deaffb7b99e8c1d51157115bc87cf72aa80f.bin. 5. Again, manually inspect the resource tree. What is different from the previous file? What is suspicious in what you found? (2pts) 6. Save the interesting resources as binary files by selecting the resource you want to save, selecting Action >Save Resource as a binary file and then naming the file. Show a screenshot of the resulting file, show file size and the filetype. (2pts) 5.0 Optional Tasks (self-evaluation) – NO ASSOCIATED MARKS If you have time left in the lab, examine files you haven’t looked at in detail yet. For example, you could open up the file with very view strings in Hiew (e.g., exe_x86_samples\ b7d400c1bdd73acfc0f9ce1f8c0bc657b5d806da6e32cfa54d746f4ece82c280.bin) and get a better sense of what is in the file. You could also identify all PE files that have an .rsrc section (using the Python pefile module) and then open them in Resource Hacker to determine whether there are any interesting data in the resources. · Open the files using the PEStudio executable and determine if you find the same information provided by Hiew or other tools used in this lab. · Try the programs CFF Explorer and PPEE. © 2017, Southern Alberta Institute of Technology. All rights reserved. This publication and materials herein are protected by applicable intellectual property laws. Unauthorized reproduction and distribution of this publication in whole or part is prohibited. For more information, contact: Director, Centre for Instructional Technology and Development Southern Alberta Institute of Technology 1301 16 Ave. N.W., Calgary, AB T2M 0L4 Lab 2: Windows PE Files ITSC 303: Malware Analysis Table of Contents Lab Outcomes4 Background Reading4 Introduction4 1.0Working with SHA-256 Hashes5 1.1Calculating SHA-256 Using sha256sum.exe5 1.2Calculating SHA-256 Using Python5 2.0Working with Unknown Files6 2.1Classifying and Uniquely Identifying Files6 3.0Working with PE Files7 3.1Further Classifying PE Files7 3.2Classifying PE Files with pefile9 3.3Viewing PE Signature Data11 4.0Examining a Malware Sample12 4.1Viewing Strings12 4.2Using Hiew14 4.3Using Resource Hacker21 5.0Optional Tasks23 References24 Resources24 Malware Analysis Lab 2: Windows PE Files Lab Outcomes This lab will focus on the following outcomes: · Calculate SHA-256 hashes using tools as well as Python. · Classify unknown files based on file header information. · Classify PE files based on PE file header information. · Identify signed PE files and how to extract signing information. · Extract strings from a PE malware samples and reason about what the malware may do based on the extracted strings. · Use Hiew to navigate and extract information from PE files. · Use Resource Hacker to view and extract information from the .rsrc section of PE files