I recommend reading the references provided at the end of this room as well as doing your own research of the topics covered (as you should with everything) as it’s just a general overview of checksums, sandboxing and how reports are analyzed.
Task 1: Intro
No answer needed
Task 2: Deploy!
No answer needed
Task 3: Checksums 101
Q1: Name the term for an individual piece of binary?
Answer is found in the second paragraph
Q2: What are checksums also known as?
Answer is found in the second paragraph
Q3: Name the algorithm that is next in the series after SHA-256?
Answer found in second paragraph under “Checksums Continued:”
Q4: According to this task, how long will you need to has 6 million files before a MD5 has collision occurs?
Answer found in the second paragraph under the second table
Q5: Who developed the MD5 algorithm?
You’ll have to look this one up on google :)
Task 4: Online Sandboxing
Q1: Name the key term for the type of malware that Emotet is classified as
Answer is found beside “Threats:”
Q2: Research time! what type of emails does emotes use as its payload?
Answer is found beside “Threats:”
Q3: Begin analyzing the report, what is the timestamp of when the analysis was made?
Answer found beside “Analysis date”
Q4: Name the file that is detected as a “Network Trojan”
Look at PID 2560
Q5: What is the PID of the first HTTP GET request
Look at the “HTTP requests” table
Q6: What is the only DNS request that is made after the sample is executed?
Look at the “DNS requests” table
Task 5: Practical: Calculating & Reporting Checksums
Q1: Using the HashTab tool, what is the MD5 checksum for “LoginForm.exe”?
Dive into your machine and you’ll see “LoginForm.exe” right click, hit properties, open the file hashes tab
Q2: Using Get-FileHash in Powershell, retrieve the SHA256 of “TryHackMe.exe”
Get -FileHash TryHackMe.exe -Algorithm Md5
Q3: What would be the syntax to retrieve the SHA256 checksum of “TryHackMe.exe” using CertUtil in Powershell?
CertUtil -hashfile TryHackMe.exe SHA256
Task 6: VirusTotal
Q1: Navigate to the “Details” tab, what is the other filename and extension reported as present?
Answer is found under “Names”
Q2: In the same “Details” tab, what is the reported compilation timestamp?
Answer is found under “Portable Executable Info”
Q3: What is the THM{} formatted flag on the report
Answer is in the “Community” tab
Task 7: Future Reading (References)
No answer needed