I’ve been really enjoying the Malware Module on TryHackMe, so i’ve decided to make a quick walkthrough of each room
MAL: Malware Introductory is the first room of the Malware Module.
(Well it’s technically the second, the first room is, “History of Malware” which is just some light reading)
Fun starts at Task 6.
Task 1: What is the Purpose of Malware Analysis?
Brief introductory into what malware analysis is and it’s importance
No answer needed
Task 2: Understanding Malware Campaigns
Touches on the differences between Targeted and Mass Campaigns
Q1: What is the famous example of a target attack-esque Malware that targeted Iran?
Google: Malware Attack Iran
Q2: What is the name of the Ransomeware that used the Eternalblue Exploit in a “Mass campaign” attack?
Google: Ransomware used Eternalblue
Task 3: Identifying if a Malware Attack has Happened
Breaks down the process of a malware attack
The answers to these questions are pretty straight forward so i’ve added the description of each answer TryHackMe has included in the task instead
Q1:Name the first essential step of a malware attack?
“This could be of many methods, to name a few: USB (Stuxnet!), PDF attachments through “Phising” campaigns or vulnerability enumeration.”
Q2: Now name the second essential step of a malware attack?
“Here’s the main part of how we classify Malware. What does it actually do? If it encrypts files — it’s Ransomware! If it records information like keystrokes or displays adware — we can classify it as Spyware.”
Q3: What type of signature is used to classify remnants of infection on a host?
“These are generally speaking the results of execution and any persistence performed by the Malware. For example, has a file been encrypted? Has any additional software been installed?”
Q4: What is the name of the other classification of signature used after a malware attack?
“At an overview, this classification of signatures are the observation of any networking communication taking place during delivery, execution and propagation. For example, in Ransomware, where has the Malware contacted for Bitcoin payments?”
This wasn’t included in the task, I just thought it was a cool read on host and network based intrusion detection systems. Paper elaborates on how these two differ, what they detect and how they detect suspicious activity. https://www.giac.org/paper/gsec/1377/host-vs-network-based-intrusion-detection-systems/102574
Task 4: Static vs. Dynamic Analysis
A very simplistic overview of static vs dynamic analysis
No answer needed
Task 5: Discussion of Provided Tools & Their Uses
A list of some tools used in static and dynamic analysis
No answer needed
Task 6: Connecting to the Windows Analysis Environment
HERE COMES THE FUN
(I’m using the browser-based machine, so i’ll be using Remmina to connect to the Windows Desktop)
Task 7: Obtaining MD5 Checksums of Provided Files
Introduces checksums, what they are and their importance
Open up the Task 7 folder and right-click each file to view it’s properties
Q1: The MD5 Checksum of aws.exe?
*check method above
Q2: The MD5 Checksum of Netlogo.exe?
*check method above
Q3: The MD5 Checksum of vlc.exe?
*check method above
Task 8: Now lets see if the MD5 Checksums have been analyzed before
To answer the questions for this task, take the 3 Checksums from the previous task and paste them into the search bar on VirusTotal[dot]com to reveal if the .exe files are deemed as malicious
Task 9: Identifying if the executables are obfuscated/packed
I’ve opened PEiD (Tools > Static > PE Tools > PEiD) and dragged the files from the task 9 folder to find the proposed packer.
Q1: What does PeID propose 1DE9176AD682FF.dll being packed with?
Q2: What does PeID propose AD29AA1B.bin being packed with?
Task 10: What is Obfuscation / Packing?
Briefly introduces what obfuscation/packing is
Use the same method in the previous task but drag and drop the file from the Task 10 folder instead
Q1: What packer does PeID report file “6F431F46547DB2628” to be packed with?
Task 11: Visualizing the Differences between packed & non-packed code
Brief summary on the differences on analyzing an obfuscated file and one that isn’t obfuscated
No answer needed
Task 12: Introduction to Strings
Introduction to the sysinternal suite and the “strings” program
Q1: What is the URL that is outputted after using “strings”
Open the command prompt and type in the commands TryHackMe has provided. You’ll have to scroll a little to find the URL.
Q2: How many unique “Imports” are there?
Open PE Explorer (Tools > Static > PE Tools > PE Explorer) and drag and drop the file from Task 12 into the application
Task 13: Introduction to imports
Brief introduction to IDA Freeware
Navigate to IDA: Tools > Static > Disassembly > IDA Freeware
Q1: How many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe”
Click the Imports tab (second last tab)
Task 14: Practical Summary
Now we’ll review everything that we’ve learned :’)
Q1: What is the MD5 Checksum of the file? (Task 7)
Q2: Does Virustotal report this file as malicious? (Yay/Nay) (Task 8)
Q3: Output the strings using Sysinternals “strings” tool. What is the last string outputted? (Task 12)
Q4: What is the output of PeID when trying to detect what packer is used by the file? (Task 9)