Description
Description
This assignment is focused on the analysis of one Linux application, that we suspect to be malicious. We want to know exactly what is the purpose, and how it works.
Consider the application to be MALICIOUS. In order to analyze this application, NEVER install it in a device with personal data! and ALWAYS use some form of isolation!. Do not enter personal data!
The application can be found HERE
The Ninja vs Evil Corp application
This seems to be a Linux application, found in a device with the latest Kali Linux, used by a local security researcher. It presents very interesting game named Ninja vs Evil Corp, but everyone is unware of the actual purpose and capability. Most importantly, we do not know what is the impact to the organization (if any). If the application is present in other devices, we are also unware of how it can be detected. For now, we know that standard anti-virus are not flagging it as malicious.
Thr purpose of this assignment is to get as much knowledge as possible regarding the true purpose of the application, techniques in use and relevant indicators, and present this information in a structure report.
The following aspects should be covered:
- characterization of the main logic blocks/processes/activities of the application, with focus on the ones potentially responsible for malicious behavior
- characterization of the APIs, communication methods, and message structure used for malicious purpose
- analysis of further payloads
- identification of potential issues and impact to users
The output should be composed of a report and a series of files, code snippets and related documentation supporting the report. If the students allow it, the reports will be made available in a public github repository. For this purpose, it is advised to use Markdown. We wish that with your knowledge we can help others that were victim of this malware.
In the end, someone reading the report should have information about the overall structure of the application, how the main malicious functionalities are implemented, what is the impact to users and to an organization, which indicators of compromise can be used (IP addresses, file hashes, domains), and what is the general operation of the attack.
Please follow this structure:
Please follow this structure:
- Executive summary
- Backgroud
- Static analysis
- Behavioral Analysis
- Code Analysis
- Analysis summary
The difference between the two summaries is that the first will be read by our C-level, while the last is a technical summary for your peers.
For an example, check this resource
Rules
The use of automated tools to scan the application is accepted. However, grading will be focused in your work, your strategy, and your analysis, not on the raw results. Describe the processes followed, the suspicious you may have, and your conslusions the tools you used and justify it.
This project is expected to be authored by the students enrolled in the course. The use of existing code snippets, applications, or any other external functional element without proper acknowledgement is strictly forbidden. If any content lacking proper acknowledgment is found in other sources, the current rules regarding plagiarism will be followed.
References and tools
- Detect-It-Easy: https://github.com/horsicq/Detect-It-Easy
- ghidra: https://ghidra-sre.org/
- gdb: https://sourceware.org/gdb/
- VirtualBox: https://www.virtualbox.org/
- Kali Linux: https://www.kali.org/
- Wireshark: https://www.wireshark.org/
- strace: https://strace.io/
- qiling: https://github.com/qilingframework/qiling