Background
You work as a SOC analyst for a remote facility of a large corporate
Background
You work as a SOC analyst for a remote facility of a large corporate finance organization. An individual you support has just reported a problem with their system. Your task is to analyze the attack and collect as much information as you can to describe what type of attack occurred and identify the specific aspects of the attack that may be used to describe it. Use the techniques you learned from the previous lab assignment when reviewing both the attack as it took place and the analysis process that was used. First, review the following video and perform the exercise it asks of you. Make sure you take good notes, this will be helpful for the quiz portion of the assignment.
Now that you have reviewed the attack as it has taken place and the some of the analysis process used, answer the following questions about the attack and course of action required to perform the analysis of a specific threat.
Outcomes
Hope you found the above exercise interesting and informative. I hope you noticed that it acts as an introduction to another course you will be allowed to take in the future, Malware Analysis and Reverse Engineering. After completing this assignment, you should have a better feel for how analytics is performed, and the observations observed mapped to STIX objects we have been learning and the relationships between them. This should aid you when working on your final report. I also hope you noticed how virtualization was again used, this time to create a safe environment to run the “sample” malware that was used. Virtualization is a powerful tool for many of the analyst tools that are used within this environment. Additional tools used within the example were tools that allowed you to examine task and registry key entries. The combination of these tools plus forensic tools and of course a good Security Information Sharing tool are key to the analysis and reporting of incidents.
Flag question: Question 1Question 13 pts
The type of system used was which of the following?
Group of answer choicesDeveloper SystemPersonal System
Researcher System
Server System
Flag question: Question 2Question 23 pts
The Windows operating system used was a standard end-user licensed system.
Group of answer choicesTrueFalse
Flag question: Question 3Question 33 pts
What “OS Version:” of the operating system is used? Provide the version as listed in the desktop background page.
Flag question: Question 4Question 43 pts
What is the “Service Pack:” version used? Provide the version as listed in the desktop background page.
Flag question: Question 5Question 53 pts
What is the “User Name:” used on this system. Provide the name as listed in the desktop background page.
Flag question: Question 6Question 63 pts
What is the “Password:” used on this system? Provide the password as listed in the desktop background page.
Flag question: Question 7Question 73 pts
What is the “Host Name:” used on this system? Provide the Host Name as listed in the desktop background page.
Flag question: Question 8Question 83 pts
What is the slmgr command to extend the trial period for the version of the operating system we are using?
Flag question: Question 9Question 93 pts
Analyst use snapshots to allow them to go back to a known good state. Using the VMware Snapshot Manager, what is our current “start” location before we perform our analysis?
Flag question: Question 10Question 103 pts
What is the location, device and directory path, of the malware we are running?
Flag question: Question 11Question 113 pts
What is the filename of the malware that we will run? Only provide the filename and not the directory specification.
Flag question: Question 12Question 123 pts
What is the password commonly used to compress and encode malware so it can be shared without worry of being detected/deleted or invoked accidentally?
Flag question: Question 13Question 133 pts
What is the name of the tool used to monitor the malware to see what operations it is performing?
Flag question: Question 14Question 143 pts
What operation in the monitoring tool do we use to start recording all system activity. Provide the one word/feature used
Flag question: Question 15Question 153 pts
When we launch malware, what do we call this action? Provide the one word used to describe this operation.
Flag question: Question 16Question 163 pts
What standard system tool do we use to determine why the system is running slow? Provide the name of the tool as it appears in the application title bar.
Flag question: Question 17Question 173 pts
What is the name of the process that is taking up a majority of the CPU recourses?
Flag question: Question 18Question 184 pts
The malicious software creates/modifies which of the following:
Group of answer choicesNew FilesDesktop Background
Personal Files
Registry
System Files
Flag question: Question 19Question 193 pts
What is being asked of to “decrypt” our files? How much do we need to send, and in what denomination? Only enter the value amount in bitcoin.
Flag question: Question 20Question 203 pts
How many days before the payment will be raised?
Flag question: Question 21Question 213 pts
How many days before the files will be lost (destroyed).
Flag question: Question 22Question 225 pts
What is the bitcoin address the money needs to be sent to? You can enter the full address or use the abbreviation
123456…abcdef
NOTE: There are three “.” (Periods), separating each set of numbers.
Flag question: Question 23Question 233 pts
When using the monitoring tool, what two high-level attributes did we filter on?
Flag question: Question 24Question 244 pts
List 4 operations that were observed by the MysteryMalware process, use the “Operation” column and ignore any operations that include a “…”.
CreateFile CloseFile WriteFile RegOpenKey Process Create ProcessCreate QuerySecurityFile
Flag question: Question 25Question 255 pts
What is the name of the file/executable that is created and then invoked as a process? Provide just the filename.
Flag question: Question 26Question 263 pts
We did not find a reference to one of my files, “Bill”, this may mean we do not have all events logged from the MysteryMalware process.
Group of answer choicesTrueFalse
Flag question: Question 27Question 273 pts
A new registry key was created during this attack.
Group of answer choicesTrueFalse
Flag question: Question 28Question 283 pts
What version of the Wanna Decrypt0r is being used?
Flag question: Question 29Question 293 pts
What is the only file in the “Documents” directory that is not encrypted?
Flag question: Question 30Question 303 pts
What is the extension used on all the encrypted files?
Flag question: Question 31Question 314 pts
What VMware virtual image snapshot is used to restore the image to a “clean” state?
Leave a Reply