Hands-on Cybersecurity Studies: Uncovering and Decoding Malware Communications-Malware Analysis with Ghidra

Abstract

This report presents the second of three hands-on exercises on basic software reverse engineering with the ultimate objective of learning the way a particular malware (malicious software) is communicating across a network, and developing software to detect and reveal these communications in plaintext, in vivo. Remote access trojans (RATs) are a type of malware that persist on the infected machine after compromise and provide the malicious actor in control of the malware with remote access to the infected machine via established command-and-control channels. As with all malware, RATs are typically spread through phishing emails or websites where the software is downloaded without the user knowing; it can also spread by taking advantage of vulnerabilities in software running on the victims devices. This report details the second of three software reverse-engineering exercises, which can be completed cumulatively or individually as each accomplishes a specific task and builds off the previous exercise. The previous exercise identified and extracted malware using the open-source software tools Wireshark and Volatility. Effects and communications of RATs are demonstrated, and participants are guided through a series of steps focused on analyzing this extracted malware, an infection file, using the National Security Agency's Ghidra binary analysis software.

Document Details

Document Type

Technical Report

Publication Date

Dec 01, 2020

Accession Number

AD1119396

Entities

Tags