Ransomware代写 Coursework代写 Dynamic Analysis代写 assignment代写

IY3840 (2018-2019) – Coursework #2 Dynamic Analysis of Ransomware

Ransomware代写 This assignment is due on Friday, April 26th, 2019, 11:59pm (UK Time)In this Coursework, you will analyze ransomware samples

Daniele Sgandurra

Overview Ransomware代写

This assignment is due on Friday, April 26th, 2019, 11:59pm (UK Time)

In this Coursework, you will analyze ransomware samples using Cuckoo sandbox.

Coursework description

For this coursework, you must use the provided testing environment, which is linked and described below (Section “Testing Environment”). In the following, Main Host refers to the lab/personal physical PC or laptop equipped with VirtualBox, which is used to import the OVA file (the Testing Environment), Cuckoo Host refers to the Ubuntu VM with Cuckoo, and Cuckoo Guest refers to the Windows 7 with the Cuckoo agent1.

+ NOTE:

Please note that ransomware samples should be stored, run and analysed only inside the Testing Environment created for this coursework. In addition, do not enable Internet access for Cuckoo Guest (e.g., by enabling port forwarding on the Cuckoo Host) under any circumstance. You might want to enable Internet access on the Cuckoo Host (but not on the Cuckoo Guest) for short periods only, e.g. when downloading samples or libraries on the Cuckoo Host, or if you want to use VirusTotal with Cuckoo. Similar concepts applies when creating a shared folder between Cuckoo Host and the Main Host (e.g., be careful of not copying the samples from Testing Environment to the Main Host – you can set the shared folder as Read-Only). Do not use the malware samples for other purposes other than this assignment.Ransomware代写

If you have trouble understanding something, please ask a question on the Moodle discussion forum. However, if the question gives away solution details, write a private e-mail instead of a public question. Similarly, if answering questions of others (on Moodle or in person), do not give any form of help that you would not expect the course lecturer to give.

Marking Criteria Ransomware代写

Both the answer document and the additional files are equally important. Regarding the answer document, you are encouraged to add screenshots, tables, code snippets, instructions, etc., to make the description of your as- signment clearer – however, the page size/format should still be the same. A well-written, formatted and argued answer document, which concisely describes your work (e.g., design choices, findings, etc.), is usually enough to get a good mark. Regarding the additional files, the program(s) you submit will be run and tested on the same Testing Environment: therefore, make sure you provide all the necessary information, instructions and files to be able to run the programs/tests on this environment in a easy and clear way. As a suggestion, before submission, test everything on a clean Testing Environment.Ransomware代写

1Therefore, Testing Environment refers to the combination of both Cuckoo Host and Cuckoo Guest.

Assignments – Choose Exactly One Assignment

For this coursework, you need to select and perform one and only one of the following assignments.

1 Classifying  Ransomware with scikit-learn 100 marks

For this assignment you need to create a JSON parser to retrieve features from Cuckoo-generated analysis files and a Jupyter notebook to perform binary classification of ransomware/goodware. Using the Testing Environment,use Cuckoo to run inside the Cuckoo Guest 10 different samples of ransomware from 10 different families (from– download them in Cuckoo Host) and 10 goodware applications of your choice . You have to analyse malware samples and goodware applications for 2 minutes each (you can set the timeout analysis in conf or as a command-lineparameter).Ransomware代写

Then, select five of the Cuckoo features that in your opinion are indicative/discriminative of ransomware and goodware (“good features” for classification), and create a Python JSON parser running in the Cuckoo Host that retrieves the value of these features from the JSON reports created by Cuckoo in the Cuckoo Host analysis directory. The parser should either use the features as they are (if they are indicative) or perform some feature engineering (e.g., representing a feature as a boolean, a counter, or normalize the features, etc.).

After this,

the parser should output the value of these features into a CSV file with a row for each analyzed sample, where the columns report the value of features as well as the sample label (ransomware or goodware), and the first row includes the name of the columns3. From here on, use scikit-learn and create a Jupyter notebook on the CuckooHost. Split your dataset (the loaded CSV file) into a training and testing set (e.g., 80%/20%) using the scikit-learn library function available. Then, train the classifier (suggested: SVM, decision tree or logistic regression) on thetraining set. Finally, obtain decisions from the chosen model by testing it on the testing set and evaluate the resultsof the classifier by retrieving the number of false positives, true positives and false negatives for each of the two classes and plot the ROC curve.Ransomware代写

For this assignment, you need to submit a zip file, containing:

1. Answer document: a 1-page PDF report describing your method and findings (screenshots, tables, etc.are allowed)
2. Additionalfiles:

• a text file containing links to the used ransomware and goodware samples (DO NOT include the ran- somware and goodware samples in the additional files)
• the Python parser, the CSV file, the Python scripts and the ipynb file (you need to provide all the necessary instructions and libraries, if needed, to run everything)Ransomware代写

In addition to lab 7, “Lab: Classification for Malware Detection”, some useful tutorials on classification with scikit-learn are here:

• https://scikit-learn.org/stable/tutorial/basic/tutorial.html
• https://lukesingham.com/whos-going-to-leave-next/
• https://www.digitalocean.com/community/tutorials/how-to-build-a-machine-learning-classifierin-python-with-scikit-learn

2 Retrieve Ransomware Crypto-Keys at Run-Time with EasyHook 100 marks

For this assignment you need to create a Windows program (in C++/C#), called CryptoHook, to be run in the Cuckoo Guest that hooks the Microsoft CryptoAPI used by the ransomware to generate the crypto-keys4  and

2Suggestions: download small freeware applications (not installers) e.g. scp, sftp, putty.

3The dataset and feature set are very small due to assignment timing requirements, so the results are not significant. In real scenarios,the number of tested samples of both classes should be much larger.Ransomware代写

4 See https://www.secureworks.com/research/cryptolocker-ransomware

retrieve their value. The library used to hook the API calls is EasyHook. To test CryptoHook inside the Testing Environment, you need to submit the ransomware samples in Cuckoo Guest using Cuckoo submit command line,and CryptoHook must not be run manually (e.g., you can create a snapshot of Cuckoo Guest where CryptoHook is already running). You should download and test at least two samples of CryptoLocker ransomware (from https://github.com/ytisf/theZoo/tree/master/malwares/Binaries)  inside  the  Testing  Environment. CryptoHookshould log/print the crypto keys retrieved as well as the name of the files to be encrypted with these keys.

For this assignment, you need to submit a zip file, containing:

1. Answer document: a 1-page PDF report describing your method and findings (screenshots, tables, etc.are allowed)
2. Additionalfiles:

• a text file containing a link to the used ransomware samples (DO NOT include the ransomware samples in the additional files)
• the source code and the final Windows Application (CryptoHook) that runs inside the Cuckoo Guest (you need to provide all the necessary instructions and libraries, if needed, to run the application)Ransomware代写
• Screenshots (e.g., of a log file) showing the crypto keys and the name of the files to be encrypted with these keys retrieved using CryptoHook inside the Cuckoo Guest

Some useful tutorials on EasyHook hooking are available at: https://easyhook.github.io/tutorials.html.

3 Stop Ransomware with Decoy Files 100 marks

For this assignment you need to create a program (CryptoDetector) that detects ransomware using decoys. As afirst step, manually populate the Cuckoo Guest with some real files, e.g. two/three files from each of the following types that are typically selected by ransomware: .txt, .jpg, .png, .doc, .xls and .pdf. Places these files indirectories typically targeted by ransomware (target directories), e.g. Desktop and Documents. Then, you need tocreate a Windows program (in any of your favourite languages), called CryptoDetector, that creates some decoyfiles (e.g., traps) and places these files in the target directories. This program monitors access to the honey files (e.g.,open, modification, etc.) and kills the process accessing them5.Ransomware代写

Then, to test CryptoDetector inside the Testing Environment, download in Cuckoo Host 5 ransomware sam- ples from 5  different  families  (from  https://github.com/ytisf/theZoo/tree/master/malwares/Binaries). You need to submit the ransomware samples in Cuckoo Guest using Cuckoo submit command line, and CryptoDetector must not be run manually (e.g., you can create a snapshot of Cuckoo Guest where CryptoDetector is already running with the real and honey files already in place). CryptoDetector should print or log (i) the successful detection/stop of the ransomware due to honey files (ii) the name of the real files that have been encrypted beforekilling the ransomware (e.g., due to target file encryption selection or ordering of the ransomware).

For this assignment, you need to submit a zip file, containing:

1. Answer document: a 1-page PDF report describing your method and findings (screenshots, tables, etc.are allowed).
2. Additionalfiles:

• a text file containing links to the used ransomware samples (DO NOT include the ransomware samples in the additional files)
• source code and binary of the CryptoDetector (you need to provide all the necessary instructions and libraries, if needed, to run the application)Ransomware代写
• screenshots of the results of CryptoDetector on the 5 ransomware samples

5You can assume there are no false positives.

Testing Environment

For this coursework you must use the Testing Environment available on the Shilling PC Lab 006 under C:\IY3840\ Main-VM or, alternatively, you can download the OVA file available here (file size: 15.06 GB), for example if you want to import it on your personal computer/laptop. In case the Main-VM is not yet available on the Shilling PC Lab you selected, you need to download the OVA under C:\IY3840⁶.Ransomware代写

Steps to import and use the Testing Environment:

• (Only if importing the OVA file) On the Main Host, import the OVA file (“import appliance” on VirtualBox): this will create a VM called MainVM (this is the Cuckoo Host)
• Start the Main-VM on VirtualBox on the MainHost
• Login with student, passwordMyPass2019
• Discard“System program problem detected” warning message, if any
• Open VirtualBox inside CuckooHost
• On the Cuckoo Host, import the OVA file called Cuckoo1.ova available in Downloads (“import appliance” on VirtualBox): this will create a VM called cuckoo1 (this is the Cuckoo Guest)Ransomware代写
• Startthis VM cuckoo1 on VirtualBox inside the Cuckoo Host
• Ifa problem is shown, start Windows normally (and discard any other message, if any)
• Start the Cuckooagent
• Save a snaphsot of CuckooGuest:

VBoxManage snapshot cuckoo1 take “<Name of snapshot>” –pause VBoxManage controlvm cuckoo1 poweroff

VBoxManage snapshot cuckoo1 restorecurrent

See also here. To test Cuckoo:

• On Cuckoo Host, in a shell start Cuckoo (clean Cuckoo environment the first time with cuckooclean)
• OnCuckoo Host, in another shell, move to the Download directory, and submit a sample, g.:

cuckoo submit putty.exe –timeout 20Ransomware代写

(Disable VirusTotal in processing.conf if Cuckoo Host networking is disabled, or if you don’t need it, so the processing does not take any longer.)

See the results of the analysis either on the browser (by starting cuckoo web first) or by opening the JSON file containing the result of the analysis in the storage directory7

Various things:

Do not enable Internet access to the Cuckoo Guest – e.g., do not enable port forwarding on the Cuckoo Host for the Cuckoo Guest

• If you need to set up a shared folder between Main Host and Cuckoo Host see here (set it to read-only)

6If the folder C:\IY3840 is not available at all on the Shilling PC Lab you selected, please use another PC of the lab.Ransomware代写

7If Cuckoo reports an error (only the first time), e.g. agent not running or communication not available, restart the Cuckoo Guest manually, run the agent and repeat the steps from the saving the snapshot steps.

Submission Ransomware代写

You have to submit your work electronically via the Moodle submission link at the course page. In the following, studentSeed⁸ has to be computed using the SHA1 of your candidate ID, taking the first four characters ofthe resulting hash and converting them in ASCII code. You must submit a single zip file named studentSeed- IY3840-Coursework2.zip containing a folder called studentSeed-IY3840-Coursework2 including the following files (and nothing else):

Answer document: a 1page PDF document including the required information using a 11pt font and 0.5inmargins (both like this document’s formatting). The PDF should report at the top, IY3840, Coursework#2,your studentSeed, and your chosen assignment (A1, A2 or A3). The PDF should be named studentSeed- IY3840-Coursework2-answers.pdf.

Additional files: source code, programs, screenshots, etc.

as specified in the chosen assignment, inside a folder called studentSeed-IY3840-Coursework2-additional-files Ransomware代写

The files you submit cannot be uploaded/updated/read by anyone else. You can, however, update your sub- mission as often as you like by keeping your submission in the “draft” status until you submit the final one (which cannot be modified any more henceforth). Please note that all your submissions will be graded anonymously. Hence, do not include any form of identification in the submission (e.g., student ID, candidate ID, name, sur- name, etc.). Regardless of anything else, a submission might be given 0 mark in the following cases: Ransomware代写

• Nothing is submitted or the submission cannot beopened/read
• Submitted after thedeadline
• A submission that does not follow the given specifications (e.g., providing a PDF longer than 1 page, not submitting a zip file, etc.)
• Plagiarism or similarbehaviours

☞ All the work you submit should be solely your own work. Coursework submissions are routinely checked for this.

An example of a submission is shown in the following.

Submission example

Student with candidate ID 18001234 wants to submit their coursework (the chosen assignment is #3). To get the studentSeed, the student computes the SHA19 of 18001234: in this example, the first four characters of the computed SHA1 string are 4BE0. When encoding 4BE0 in ASCII10, the student gets 52666948, which is their studentSeed. This student submits a single zip file, called 52666948-IY3840-Coursework2.zip. This zip file contains a folder, called 52666948-IY3840-Coursework2, which includes the following files and folder:

52666948-IY3840-Coursework2-answers.pdf

52666948-IY3840-Coursework2-additional-filesRansomware代写

Where 52666948-IY3840-Coursework2-additional-files is a folder with the required additional files for assignment #3.

An example of the answers document submitted by this student (file named 52666948-IY3840-Coursework2- answers.pdf) is shown in the next page.

8In this coursework, the studentSeed is only used to differentiate the submissions on Moodle.

9You can use this online tool: https://passwordsgenerator.net/sha1-hash-generator/

10You can use this online tool:https://onlinestringtools.com/convert-string-to-ascii

IY3840, Coursework#2, 52666948, A3

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed sed cursus ligula, eget suscipit nisl. Cras nunc neque, hendrerit ut urna vitae, cursus lobortis justo. Sed condimentum erat nec nibh ullamcorper, non efficitur ex placerat. Donec in interdum nisl. Donec tristique purus leo, vitae tincidunt nisl tempor finibus. Donec convallis tempus velit molestie congue. Cras sed augue nec leo ultrices pellentesque id nec quam. Donec semper leo nec pellentesque luctus. Nunc facilisis venenatis sem sed dapibus. Donec aliquet orci a leo tincidunt, et porttitor metus consequat. Ut et varius lorem. Nulla justo sapien, rutrum in aliquet eget, bibendum nec turpis. Nunc risus leo, vehicula eu cursus at, luctus et massa. Donec at odio pharetra, gravida turpis at, consectetur eros. Fusce vitae rutrum purus. Mauris consectetur mauris vitae enim blandit, in bibendum dui efficitur.Ransomware代写

Mauris vitae varius ipsum.

Pellentesque laoreet pulvinar lacinia. Nam purus lectus, laoreet at erat et, tem- pus volutpat lectus. Aliquam pretium elit metus, vel sollicitudin magna accumsan et. Nulla tempor eget nulla sed varius. Curabitur dapibus scelerisque venenatis. Pellentesque orci nibh, semper ut consectetur ut, facilisis nec mauris. Praesent feugiat urna a cursus fringilla. Aliquam id pretium risus. Suspendisse eget nunc ipsum. Quisque vitae sapien fermentum, pretium nisl a, pulvinar arcu. Donec nec posuere magna, vel tempor felis. Ae- nean vitae tempor nisi.Ransomware代写

Etiam id diam ac velit consectetur feugiat a id metus. Nulla dignissim mi turpis, semper commodo nisl tris- tique a. Sed dictum faucibus felis, sit amet tempor velit tristique finibus. Vestibulum hendrerit augue lacinia libero aliquam porta. Maecenas mollis nunc justo, at viverra ligula auctor a. Nullam suscipit erat elit, ac blandit lectus congue id. Morbi posuere porta felis, in ullamcorper neque. Morbi at justo non nisi blandit dapibus in consequat eros. Proin nunc odio, accumsan eu cursus consectetur, pretium id leo. Suspendisse mollis, turpis vitae ultricies pretium, leo mi viverra libero, ac ornare libero erat quis nibh. Praesent pretium eu urna nec placerat. Morbi vehicula at leo sit amet placerat. Donec ullamcorper vitae mauris nec ultricies.

Donec varius, odio eu condimentum convallis,

sem enim elementum tellus, quis interdum sapien neque eget leo. Quisque et vulputate quam. Sed tincidunt ut ligula et luctus. Ut in lectus urna. Sed sed gravida nisi. Aenean non imperdiet sem, et consequat metus. Sed sit amet quam quis dolor convallis lobortis. Ut accumsan nibh lacus, sit amet aliquet ante euismod quis. Duis vel sagittis orci.Ransomware代写

Nullam accumsan porttitor justo, a rhoncus sapien egestas ultrices. Pellentesque ut ex a urna gravida pulvinar.Nulla lacinia tellus eu nisl faucibus cursus. Cras cursus elementum lorem ac tristique. Duis non justo fermentum, scelerisque augue sed, mattis sem. Vestibulum varius, diam ac hendrerit luctus, purus lacus faucibus nunc, sed faucibus sem eros ac purus. Curabitur porttitor, tellus id pulvinar lacinia, turpis libero condimentum odio, a pretium sapien velit id nisi. Nullam vulputate id nisi vel suscipit. Vestibulum efficitur, tortor in placerat accumsan,justo enim commodo lorem, vel consectetur turpis mi nec tellus.

Vivamus dapibus consequat sem a facilisis.

Etiam blandit est porttitor nisl finibus faucibus nec sit amet augue. Etiam lorem turpis, vulputate sit amet vestibulum quis, finibus ut erat. Aliquam pulvinar dolor ac mauris cursus sagittis. Phasellus vitae lorem arcu. Vivamus mattis tempor erat id sodales. Morbi et nisl sodales, convallis orci ut, iaculis ante. Proin feugiat leo sed posuere mollis. Ut volutpat leo quis arcu finibus faucibus eget non metus. Nam tempus finibus mi, ut aliquam ante gravida vel. Nullam vel rhoncus ante. Praesent a nisi pellentesque, vestibulum ligula volutpat, feugiat dui. Aenean sit amet orci in neque ultrices pellentesque. Duis vestibulumnunc a ante egestas scelerisque. Duis vehicula egestas tortor, nec sollicitudin magna ultricies eu.Ransomware代写

In aliquam leo non lacus pulvinar, a fringilla magna venenatis. Curabitur et egestas lorem, ac finibus nisl. Sed bibendum facilisis lobortis. Duis a sagittis diam. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Suspendisse ac urna sagittis, tincidunt libero sit amet, faucibus est. Vestibulum vitae fringilla orci, id posuere justo. Duis lacinia enim ut sapien dignissim tempor. Sed urna massa, accumsan non viverra ornare, condimentum nec sem. Nulla at nunc in nisi placerat finibus. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Praesent ullamcorper nisl est, non accumsan diam.

更多其他：C++代写 r代写 代码代写  考试助攻 C语言代写 finance代写 计算机代写 code代写 data代写 report代写 代写CS matlab代写 project代写 物理代写 数学代写 java作业代写

合作平台：天才代写 幽灵代写 写手招聘 Essay代写