In 2008, Greg Feezel and I published the following malware analysis challenge. The goal was to answer the questions below and submit them back to us for prizes. While the challenge is no longer going on, we wanted to publish it again so those that wished to try it could.
The malware is contained within a password protected zip file named malware.zip. The password is “infected”. The MD5 hash of the files are:
- 59a95f668e1bd00f30fe8c99af675691 malware.exe
- 31d2ec3b312d0fd27940aae5c89e3787 malware.zip
A system administrator within your organization has come to you because a user's PC was infected with malware. Unfortunately, anti-virus is unable to remove the malware. However, the administrator was able to recover the suspected malware executable. Your job is to analyze the malware.
Participants should download the malware sample and analyze it. The end result should be a document containing details on the analysis performed. The analysis document can be written in any form, but the following questions and statements should be answered within it. Participants should note when questions are being answered.
- Describe your malware lab.
- What information can you gather about the malware without executing it?
- Is the malware packed? If so, how did you determine what it was?
- Describe the malware's behavior. In other words - what files does it drop, what registry keys does it modify, what network connections does it create, how does it auto-start, etc?
- What type of command and control server does the malware use? Describe the server and interface this malware uses.
- What commands are present within the malware and what do they do? If possible, take control of the malware and run some of these commands, documenting how you did it.
- How would you classify this malware? Why?
- What do you think the purpose of this malware is?
- Is it possible to find the malware's source code? If so, how did you do it?
- How would you write a custom detection and removal tool to determine if the malware is present on the system and remove it?