Thanks to visit codestin.com
Credit goes to www.scribd.com

Scribd
Upload
28 views4 pages

Malware Lab 1

Uploaded by

mahdizaidi50
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
28 views4 pages

Malware Lab 1

Uploaded by

mahdizaidi50
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 4

Malware Assignment

Mohammad Mahdi 24233097

Malware Lab 1

Question 1: What type of malware file it is?

Answer: The file is a .NET based Windows executable (Win32 EXE) that has been identified as
malware, most likely a trojan or potentially unwanted program (PUP). It is a PE32 executable (GUI)
targeting Microsoft Windows and built using the .NET framework version 4.0.30319, which is
commonly used in malicious loaders, droppers, and auto clicking tools. Several indicators suggest
malicious intent, such as the file being unsigned, the use of deceptive names like "CorelInstaller.exe,"
"EasyDraw.exe," and "redwood_autoclicker.exe," and a suspicious compilation timestamp set in the
year 2038—often a tactic used to bypass detection or obscure analysis. These characteristics
collectively point to a high likelihood that the file is malicious in nature.

Question 2: Please specify what family this malware belongs to according to most of antivirus
engines.?

Answer: The malware file belongs to the "Bobik" and "MSIL/Heracles" families. These family names
indicate that the malware is a .NET based trojan, often associated with spyware functionalities and
remote access capabilities. The combination of the Bobik and MSILHeracles tags reflects the
malware's behavioral patterns and underlying code signatures as recognized by a wide range of
antivirus vendors.

Question 3: Specify at least two names in which this file has been submitted as wild.

Answer:

Question 4: Specify what sections are provided by VirusTotal, e.g., Name, Virtual address, size,
Entropy, hash, etc.

Answer:

Question 5: What section specifies the highest entropy?

Answer: The entropy section specifies the highest entropy which is for the .text field being 6.32
Question 6: What type of graph it is write down the basic properties of the malware.

Answer:

The graph shown is a threat relationship graph, which visually maps out the interactions and
behavior of the malware sample. It reveals how the file communicates with external domains and IP
addresses, drops additional files, and is related to bundled or parent executables. This malware is
a .NET based PE32 Windows executable (Win32 EXE) with a file size of 420 KB. It has been flagged as
malicious by 56 out of 73 antivirus vendors and is most commonly associated with the Bobik and
MSIL/Heracles malware families. The file is not digitally signed and has a suspicious compilation
timestamp set in the year 2038 an indication of evasion tactics. It communicates with multiple IP
addresses, including several located in the United States and Russia, suggesting potential command
and control or data exfiltration behavior. During execution, it drops numerous files and interacts with
bundled components such as XML and DLL files, indicating a complex structure likely designed for
persistence or multi stage attacks. Built on .NET Framework version 4.0.30319, the malware
leverages modern programming environments to perform tasks typically associated with trojans and
spyware.
Question 7: Now click on the behaviour tab and provide MITRE ATT&CK Tactics and Techniques
highlighted by sandboxes.

Answer:

Question 8: Write down the behavioural similarities’ hashes of sandboxes.

Answer:

Question 9: Check Network Communication and explain what dns.msftncsi.com and others ending in
phicdn.net are being used for.

Answer: From the network communication section of the analysis, we observe that the file
attempted to contact several domains, including dns.msftncsi.com and fp2e7a.wpc.phicdn.net.

 dns.msftncsi.com is a legitimate Microsoft domain used by Windows systems to check


internet connectivity. It is part of the Network Connectivity Status Indicator (NCSI) service,
which helps the system determine whether the device has access to the internet. Malware
may attempt to contact this domain to verify if the system is online before proceeding with
further malicious activity, such as downloading payloads or establishing a connection with
command and control (C2) servers.

 Domains ending in .phicdn.net (e.g., fp2e7a.wpc.phicdn.net) are typically associated with


CDN (Content Delivery Network) infrastructure used by companies like Microsoft to
distribute files, updates, and digital content. However, some malware samples are known to
disguise communication through seemingly legitimate CDN domains to hide traffic or
download additional malicious components without raising suspicion. The presence of
communication with phicdn.net domains in this context could suggest that the malware is
attempting to fetch resources or updates in a stealthy manner.

Question 10: Revisit your network security module and explain the IP ports used by malware in IP
traffic.

Answer: The malware communicates over several network ports using both TCP and UDP protocols.
It uses TCP port 80 for unencrypted HTTP traffic and TCP port 443 for encrypted HTTPS
communication, likely to download additional payloads or interact with command and control (C2)
servers while blending in with normal web traffic. Additionally, it connects via TCP port 9000, a non
standard high port often used by malware for custom C2 channels or reverse shell communication.
On the UDP side, it uses port 53, which is typical for DNS lookups possibly to resolve C2 domains
dynamically. It also utilizes UDP ports 137 and 138, commonly associated with NetBIOS services,
indicating possible local network discovery or lateral movement. The presence of multicast address
224.0.0.22 suggests attempts to interact with or scan other systems on the local network. Overall,
the combination of these ports reflects sophisticated behavior aimed at evading detection while
maintaining communication and control.

You might also like