1. Overview

DISCLAIMER: All tasks  must be  performed  in a virtual  machine. Otherwise, your computer  might  be infected!!!

This is an individual assignment. The objective of Assignment 1 is to assess your overall understanding of the topics covered in lectorials and workshops from Weeks 1 to 5. These topics include an introduction to cyber attack analysis, cyber attack frameworks, network attack analysis, phishing attack analysis, and static malware analysis. Assignment 1 consists of problems  related to the topics mentioned above. You are required to prepare solutions as a single PDF or MS Word file, including step-by-step descriptions with screenshots wherever applicable. You may refer to workshop resources as examples of documenting your step-by-step work with necessary screenshots.

If you have any questions, you must ask them in a general manner via the relevant Canvas discussion forums and/or discuss them with the teaching team during announced consultation sessions or in class. Please do not disclose any part of your answer while communicating via the Canvas discussion board or during consultation sessions.

Overall, you must follow the following special instructions:

●    You must fulfill the requirements in the questions.

● You must submit the solutions as a report on CANVAS. In your solution, you must show all the steps with the necessary descriptions and screenshots for each question.

●    Upload your solution as a single PDF or Word document in CANVAS.

● Do not put the PDF within the ZIP file.

● Contact the Lecturer if you find any inconsistencies or typos. Please send an email to:

[email protected]

2.   Assessment Criteria

This assessment will determine your ability to:

●    Follow the requirements provided in this document and the lessons.

●    Independently solve a problem by using concepts taught over the first five weeks of the course.

●    Meeting deadlines.

3. Learning Outcomes

This assessment is relevant to the following Learning Outcomes:

●    CLO 1: Possess a deep understanding of the evolving landscape of cyber threats in our interconnected digital world, including the motivations behind cyberattacks.

●    CLO 2: Understand early warning signs of potential breaches, allowing you to take preemptive action and protect digital assets.

●    CLO 3: Perform a systematic analysis of cyberattacks, enabling you to uncover their origins, methods, and potential impacts.

●    CLO 4: Demonstrate the ability to critically assess and respond to cyber threats and incidents.

●    CLO 5: Employ an organized and methodical approach to swiftly identify attacks, minimize their impact, and contain damage.

4.   Assessment details

Please ensure that you have read Sections 1 to 3 of this document before going further. Assessment details (i.e., questions Q1 to Q4) are provided on the next page.

Assume that you are a Cybersecurity Analyst at the Security Operations Center (SOC) Blue team of  RMIT University. You are given some attack analysis tasks in different scenarios. Perform the tasks and document your findings.

Please download the necessary resources from the Assignment 1 home page on the CANVAS.

Q1. Mapping Attacker’s Method using Cyber Attack Frameworks [4 marks]

As a cybersecurity analyst, you are assigned to analyze a recent malware attack at RMIT Melbourne. A finance employee at RMIT receives an urgent email from a supplier regarding a pending invoice that requires immediate payment. The email appears legitimate, as it contains the supplier's name, email signature, and even references to a recent transaction.

The email includes an attachment named "Invoice_032025.zip", claiming to contain invoice details. However, the ZIP file holds a disguised executable file ("Invoice_032025.pdf.exe") designed to deploy malware when executed. Due to file extension hiding (e.g., “ .exe” appearing as “ .pdf”), the recipient mistakenly believes it is a normal document and opens it.

Upon execution, the malware silently installs itself on the system, establishing persistence by modifying registry keys and scheduled tasks, ensuring it runs every time the system reboots. It then begins its malicious activities, such as stealing credentials, exfiltrating sensitive data, and communicating with an attacker-controlled server.

In this task, you need to identify different phases of the attack and accurately map them with the attacker's tactics, techniques, and procedures (TTPs). You must mention relevant technique IDs and brief descriptions of the involved techniques.

Required Resources:

•    No files are required.

•   The  MITRE ATT&CK®  Matrix  for  Enterprise  (https://attack.mitre.org/matrices/enterprise/)  as  shown below:

[Hints: Please refer to Week-1 lectorial and Week-2 workshop.]

Q2. Analyzing Network Attacks [10 marks]

Assume that you are given a task to analyze your network.  Hence, you have captured network traffic and generated a capture file (Q2.pcap). There may be multiple Indicators of Compromise (IoC). In this task, you need to identify all IoC that might be in the capture file (Q2.pcap) in a systematic way using the Wireshark tool. You must document each step of your analysis, specify the relevant filters used, include screenshots, and assess whether any attacks are present.

Required Resources: Network capture file Q2.pcap (click here to download from the CANVAS).

[Hints: Please refer to Week-2 lectorial and Week-3 workshops to understand systematic approaches to identify IoC. You need to do some research to find other possible network attack indicators.]

Q3. Phishing Attack Analysis [6 marks]

In this task, you are required to demonstrate your understanding of the Phishing Attack Analysis. Assume that you are given two email files (emailQ3_1.eml and emailQ3_2.eml) received by two employees of your organization. Your task is to analyze these emails and answer the following questions. Please note that you need to identify the key information by yourself that may lead the files to phishing emails. Failing to show all necessary artifacts may result in a mark deduction.

To determine whether the email is legitimate or a phishing attempt, perform the following and document every step with necessary screenshots:

a) Using any text editor:

i.       Extract the necessary information from the email header of the emailQ3_1.eml file.

ii.       Examine the email content and list suspicious elements.

iii.       Extract any hyperlinks from the email and analyze them using tools such as VirusTotal.

iv.       Explain how the above information can help to determine whether the email is legitimate or a phishing attempt.

b) Using any online Phishing Email Analysis Sandbox platform, such as PhishTool Community (https://app.phishtool.com/) :

i.       Extract the necessary information from the emailQ3_2.eml file.

ii.       Examine the email content and list suspicious elements.

iii.       Extract any hyperlinks and attached file information from the email and analyze them using tools such as VirusTotal.

iv.       Explain how this tool can help to determine whether the email is legitimate or a phishing attempt.

Required Resources: Email files: emailQ3_1.eml and emailQ3_2.eml (click here to download from the CANVAS).

[Hints: Please refer to Week-3 lectorial and Week-4 workshop.]

Q4. Static Malware Analysis [10 marks]

In this task, you are required to demonstrate your understanding of Static Malware Analysis using Ghidra. Assume that you are given a file (Q4.zip) suspected of malicious activity. Your task is to analyze this sample and answer the following questions. Please note that you need to identify key indicators that may classify this file as malware. To determine whether the file is malicious, perform the following tasks and document every step with screenshots:

i.       Use an online tool, such as VirusTotal (https://www.virustotal.com/gui/home/upload), to check if the file has any history of malicious activity. Justify your answer with proper screenshot(s). [0.5 Mark]

ii.      Show detailed steps of installing Ghidra and  necessary tools in Windows Virtual Machine.  Download the tools from the recommended websites (please refer to Week-5 lab). [2 Marks]

iii.       Extract the provided zip file to open the malware sample in Ghidra and extract the necessary information about the file. [0.5 Mark]

iv.       Examine the strings  present in the binary and list any suspicious elements (e.g.,  URLs, IP addresses, hardcoded credentials). [2 Marks]

v.      Analyze the functions in the binary using Ghidra’s disassembler and decompiler. Identify any suspicious function names or code snippets indicative of malicious behavior. [2 Marks]

vi.       Perform control flow analysis to trace the execution flow of the program and identify any anti-analysis techniques, such as encryption, obfuscation, or packing. [1.5 Marks]

vii.       Identify and document any Indicators of Compromise (IoCs), such as network activity, system modifications, registry changes, or execution of suspicious API calls. [1.5 Marks]

Required Resources: Malware sample file (Q4.zip) and password file for unzipping Q4.zip (Q4_zip_password.txt) (click here to download from the CANVAS)

[Hints: Please refer to the Week-4 lectorial and Week-5 workshop.]

5. Academic integrity and plagiarism (standard warning)

Academic integrity is about honest presentation of your academic work. It means acknowledging the work of others while developing your own insights, knowledge and ideas. You should take extreme care that you have:

●   Acknowledged words, data, diagrams, models, frameworks and/or ideas of others you have quoted (i.e. directly copied), summarized, paraphrased, discussed or mentioned in your assessment through the appropriate referencing methods.

●    Provided a reference list of the publication details so your reader can locate the source if necessary. This includes material taken from Internet sites.

If you do not acknowledge the sources of your material, you may be accused of plagiarism because you have passed off the work and ideas of another person without appropriate reference, as if they were your own.

RMIT University treats plagiarism as a very serious offence constituting misconduct.   Plagiarism covers a variety of inappropriate behaviors, including:

●    Failure to properly document a source

●    Copyright material from the internet or databases

●    Collusion between students

For further information on our policies and procedures, please refer to the University website.