SANS Internet Storm Center

Pedro’s Malware Analysis Quizes

Quiz VII

Yes, we are back!!:)

I hope that this gap between the last quiz and this one was used to practice your analysis skills! ;-)

This time our heroes from Incident Response Team are in big trouble...A strange application was found in a computer and which was connected to the IP address 195.68.221.221.  Unfortunately the person who called the IR team killed the application before the IR team arrived so we don't have much more info.

Your mission, if you decide to accept, is to answer the questions regarding the following malware:

BEFORE CONTINUE _ PLEASE READ THIS DISCLAIMER!

The following file is a REAL piece of MALWARE! - If you decide to go further, please note that I WILL NOT be responsible for any damage that it may cause in your system!

MD5SUM: baf2c080af23a34ead140d3c891e3be5 *quizmal.zip (password infected)

Questions:

1) Is this malware packed? If so, with which packer?

2) What is the purpose of this malware?

3) Does it connect to a remote server? With which purpose?

4) Which channels does it connects to?

5) Can you get any passwords related to this malware?(Not the infected password) :)

6) Which capabilities does this malware have?

Bonus question:

7)  What is the hidden message?  (if there is any…) :)

Please send your answers in pdf format to pbueno //&&// isc .sans .org until November 30th!!

Dont forget to describe the process used in your analysis!!

Good luck!

 

UPDATED: Jan 25th!

 

First I would like to thank all those that participated to this Quiz! This quiz is special because it shows real world technics that can be used by some malware writers...

Here are the top 1:

Balazs Attila-Mihaly (Cd-MaN)  - short, good explanation and got all points (and didn't need a sacrificial machine)! As an extra, he puts the source code of the memory dumper that he wrote in pascal.

 

The other  top 3 are:

· Adam Loveless — interesting usage of rootkit techniques for malware analysis

· Fernando Amatte— nice approach and good environment explanation!

· Zach Jansen— shows the usage of some techniques of VM thwarting to get it running!

 

 

Guys, I have only one word to all of you:

Congratulations! You show that we can always find a way to analyze a malware, no matter how it was created!

 

Stay tuned for Malware Analysis Quiz 8!! Soon!

Pedro Bueno ( pbueno //&&// isc. Sans. Org)