Description
This assignment is focused on the analysis of one common Delphi malware. We want to know exactly what is the purpose, how it works and how it can be detected on our systems and networks. The objective is not to fully reverse engineer the application.
Consider the application as being MALICIOUS. In order to analyze this application, NEVER install it in a real system! and ALWAYS use an Virtual Machine!. Erase the virtual machine after execution. Do not enter personal data on it after detonation.
We recomment the use of FlareVM, an environment made available by Mandiant.
The Malware
The malware, found here consists of a full chain recorded by our teams.
The following aspects should be covered:
- characterization of the main logic blocks/processes/activities of the malware, with focus on the ones responsible for malicious behavior
- characterization of the APIs, communication methods, and message structure used for malicious purpose
- analysis of further payloads
- identification of potential issues and impact to users
The output should be composed of a report and a series of files, code snippets and related documentation supporting the report. If the students allow it, after grading, the reports may be made available in a public github repository as they may benefit the community. For this purpose, it is advised to use Markdown. We wish that with your knowledge we can help others that were victim of this malware.
In the end, someone reading the report should have information about the overall structure of the malware, how the main malicious functionalities are implemented, what is the impact to users and to an organization, which indicators of compromise can be used (IP addresses, file hashes, domains), and what is the general operation of the attack.
Please follow this structure:
- Executive summary: A summary for management roles, non technical
- Background: Context of the file, and purpose from OSINT
- Overall Behavioral Analysis: High level operation of the application and its most relevant features
- Static analysis: Analysis of file structure and content
- Code Analysis: Analysis of the code structures, main logic block and operation
- Dynamic Analysis: Analysis of the dynamic operation of the application, pinpointing what it does, and the existing communication endpoints (if possible)
- Indicators or Compromise: Artifacts such as IP addresses, file hashes, domain names that can be used to detect the application
For an example, check this resource
If you need further assistance, fell free to use the course chat.
Rules
The use of automated tools to scan the application is accepted and encouraged. As this is a well known sample, there is a substancial amount of information available about it, and its variants. Check for OSINT and public sandboxes.
Grading will be focused in your work, your strategy, and your analysis, not on the raw results. It is vital that you describe the processes followed, the suspicious you may have had, the tools you used, and your conclusions.
This project is expected to be authored by the students enrolled in the course. The use of existing code snippets, applications, or any other external functional element without proper acknowledgement is strictly forbidden. If any content lacking proper acknowledgment is found in other sources, the current rules regarding plagiarism will be followed.
References and tools
- Detect-It-Easy: https://github.com/horsicq/Detect-It-Easy
- IDA Classroom: https://hex-rays.com/classroom
- Ghidra: https://github.com/NationalSecurityAgency/ghidra
- FlareVM: https://github.com/mandiant/flare-vm