• Received a PDF that does contain an attack. The attack will deliver and execute another program onto our VM environment.
• Conducted a malware analysis on an attack PDF (that will deliver and execute another EXE program) to document specific characteristics and behaviors of the malware.
• Employed the methods learned in course to collect traffic from the malware and identified the domain name that the malware is attempting to use to communicate to the Internet, as well as the TCP port.
• Configured VM to force the DNS resolution for that domain name to resolve to an IP address that I control within my virtual environment and captured the traffic beacon that is sent when the malware successfully connects by using two VMs, one of them (such as Remnux) pretending to be the server. It is also possible to do this entirely on windows host, but we would need to install extra software (such as netcat or fakenet).
• Developed Yara signatures that are used to identify the malicious objects in PDF and the backdoor EXE file embedded in PDF.
• Created a detailed Malware Analysis Report on all the findings about malware during analysis.
• Tools Used: Remnux VM, Strings,Objdump, Yara, IDA Pro, FakeNet, netcat.
#The Submissions of project includes:
1.Malware Analysis Report - It details all the findings about malware during analysis like
a. PDF Static Analysis
b. PDF Dynamic Analysis
c. Backdoor (within the pdf) Static Analysis
d. Backdoor Dynamic Analysis
2.Yara rule (aletiny-pdf.yar)that used to identify the malicious objects in PDF.(Using the command- pdf.parser.py -y aletiny-pdf.yar attack.pdf)
3.Yara rule (aletiny-strings.yar) that used to identify the backdoor EXE file.
4.The output (aletiny-strings.out) of running yara with the “-s” option using the above yara rule against the backdoor EXE file.