#Final Lab of Doom

Assigned: May 20th

Due: June 8th by 5:19 PM (Date and end of final)

This is it…


  • Reverse Engineer Malware with IDA and Volatility

Good luck.

The memory sample can be obtained here

Lab will be graded on the following criteria

  • What did the malware do?
  • How did malware stay persistent?
  • How did the malware resolve API functions?
    • Which ones were used?
  • Were any API functions used without obfuscation? If so, which ones?
  • How did the malware ensure only one version of itself was running?
  • How did the malware exfiltrate data?
    • Did any data get exfiltrated while this machine was running?
      • How can you tell?
  • How did the malware hide from the user?


  • Use the memory forensics six step approach
  • Use from lab 3
    • Know which DLLs were used (more than one this time)
  • Use the Command Reference
  • Fix ImageBase before running dumped file through IDA with below script
  • I did not strip the pdb… you’re welcome
  • Some line by line assembly will be needed, but most of the logic is higher level. This malware was written in C++ so there is a lot of metadata.
#!/usr/bin/env python
import pefile
pe = pefile.PE("malware.exe", fast_load = True)

Turn in by e-mail to [email protected].

Enjoy the summer.