08: Group Presentation
Description
This week you will form groups to reverse engineer real-world malware samples. Your group will be expected to prepare a short (10-15 minute) presentation to be given in two weeks during class (next week we’ll be covering more malware topics). The presentation will be your midterm. To be assigned your sample, first form a group of 3-4 students. Feel free to use the Discord to find group members. Then send a Discord message or email to the instructors with the names of your group members. We will respond with a sample for your group to analyze.
People tab when viewing
this class on ELMS.Samples
Warning
These are real, potentially live malware samples for your midterm report.
PLEASE BE CAREFUL WITH THEM!
All zip files are password protected. Reach out to the instructors for the password.
| Group 1 | Sample 1 |
|---|---|
| Group 2 | Sample 2 |
| Group 3 | Sample 3 |
| Group 4 | Sample 4 |
| Group 5 | Sample 5 |
| Group 6 | Sample 6 |
| Group 7 | Sample 7 |
Presentation
Prepare a 10-15 minute presentation with your group about your sample. It should summarize your analysis, with any background information and context necessary to help the class understand your results. At a minimum, it should answer the following questions (does not need to be in this order):
Research Previous Work
- Look for information about this malware type from other researchers and give a
summary in your presentation.
- You may use VirusTotal to get you started.
- What type of malware is it and what family does it belong to?
- What indicators of compromise (IOCs) are there for this sample?
Initial Triage
- Explain high level details about this sample from binaryninja’s triage summary.
- What imports, exports, and strings does the malware contain?
- Does anything seem interesting or malicious?
- Provide hashes (MD5 and SHA256) of the file and ways to potentially identify this type of malware.
- Provide a time frame for when this malware was active based on when this
binary was compiled.
- Is it still active?
Network & System Analysis
- How does this sample interact with the network?
- Can you find hard coded URLs or IP addresses?
- Monitor for suspicious requests with Wireshark.
- How does this sample interact with the operating system?
- Does it look for specific files or access Windows registry keys?
- Does the behavior include additional payloads, process injection or persistence mechanisms?
Demonstrate Reversing Skills
- Demonstrate use of reversing tools learned in class (such as
binaryninjaandwindbg) to understand what this sample does.- We do not expect you to completely reverse the entire program. Try to focus on an interesting function or two and explain why you chose them in your presentation.
- Do you see evidence of any indicators you found in your initial research?
- If not explain how your sample is different or what you might have expected to see.
- Show static and dynamic analysis workflows for understanding your sample’s
behavior.
- If you encountered any challenges explain how you addressed them or how you might overcome them with more time/resources.
Rubric (20 pts)
| Item | Points | Percentage | Description |
|---|---|---|---|
| Research Previous Work | 2 pts | 10 % | Research information about your sample online. |
| Initial Triage | 3 pts | 15 % | Provide an overview of your malware sample and indicators of compromise (IOCs). |
| Network & System Analysis | 6 pts | 30 % | Show a high level understanding of this sample and how it interacts with the operating system. |
| Demonstrate Reversing Skills | 6 pts | 30 % | Show a deeper analysis of your sample by reverse engineering it. |
| Presentation Quality | 3 pts | 15 % | Clarity and comprehensiveness of your presentation. |