MAL: Malware Introductory

TryHackMe Walkthroughs â‹… Guided â‹… MAL: Malware Introductory


Task 1: What is the Purpose of Malware Analysis?

Malware analysis is a form of incident response that focuses on malware. Malware analysis explores what point of entry (PoE) into the system a malware used, indicators of its presence, how it performs, and how we can protect against it.

Task 2: Understanding Malware Campaigns

Malware can be divided into two types, targeted and mass campaign, based on their intended audience.

What is the famous example of a targeted attack-esque Malware that targeted Iran?

Stuxnet

Stuxnex targeted Iran's nuclear program centrifuge, which are used to enrich uranium.

What is the name of the Ransomware that used the Eternalblue exploit in a "Mass Campaign" attack?

Wannacry

Wannacry demanded ransomware payments in Bitcoin.

Task 3: Identifying if a Malware Attack has Happened

Malware leaves an extensive papertrail of evidence at each step of the attack. Malware generally leaves behind two types of fingerprints on a host. Host-based signatures are the results of execution and persistence performed by malware, such as downloaded software or encrypted files. In contrast, network-based signatures are the observation of networking communication taking place during delivery, execution, and propagation.

Name the first essential step of a Malware Attack?

delivery

The first step of a malware attack is delivery. This step is followed by execution, maintaining persistence, and propagation. The first two steps are essential, but the last two are not.

Now name the second essential step of a Malware Attack?

execution

The execution step follows the delivery step as another essential step of a malware attack.

What type of signature is used to classify remnants of infection on a host?

Host-Based Signatures

Host-based signatures are evidence left behind on the host in the form of execution and persistence results.

What is the name of the other classification of signature used after a Malware attack?

Network-Based Signatures

The other type of signature besides host-based is network-based.

Task 4: Static Vs. Dynamic Analysis

We use both static and dynamic analysis when analyzing malware. Static analysis looks at the code without execution in order to gain a high-level understanding of the sample. In contrast, dynamic analysis builds upon static analysis by running the sample in an isolated environment and observing the sample's effects.

Task 5: Discussion of Provided Tools & Their Uses

Though some tools are purely static or dynamic analyzers, other tools provided in this task can be used for both static and dynamic analysis.

Task 6: Connecting to the Windows Analysis Environment (Deploy)

Connect to the machine associated with this task by pressing the "Start Machine" button on the top-right of the task.

Task 7: Obtaining MD5 Checksums of Provided Files

The application HashTab, preinstalled with the VM, calculates the checksums of a file using MD5 and other hash functions. The results of the application are available by viewing a file's properties.

The MD5 Checksum of aws.exe

D2778164EF643BA8F44CC202EC7EF157

Right click on aws.exe to open the file's properties. Click on the File Hashes tab.

The MD5 Checksum of Netlogo.exe

59CB421172A89E1E16C11A428326952C

Right click on Netlogo.exe to open the file's properties. Click on the File Hashes tab.

The MD5 Checksum of vlc.exe

5416BE1B8B04B1681CB39CF0E2CAAD9F

Right click on vlc.exe to open the file's properties. Click on the File Hashes tab.

Task 8: Now lets see if the MD5 Checksums have been analyzed before

Virustotal can be used to see if an file with the same MD5 checksum has been analyzed before.

Does Virustotal report this MD5 Checksum / file aws.exe as malicious? (Yay/Nay)

Nay

Search for the MD5 checksum of aws.exe in Virustotal.

Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? (Yay/Nay)

Nay

Search for the MD5 checksum of Netlogo.exe in Virustotal.

Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? (Yay/Nay)

Nay

Search for the MD5 checksum of vlc.exe in Virustotal.

Task 9: Identifying if the Executables are obfuscated / packed

PeID is a tool that can be used to identify if an executable is packed. Remember that an executable does not necessarily end with a .exe extension. A file that ends with .jpeg, for example, but starts with the hex header 4D 5A is still an executable.

What does PeID propose 1DE9176AD682FF.dll being packed with?

Microsoft Visual C++ 6.0 DLL

Go to Tools -> Static -> PE Tools to open PeID. Click the three dots next to File: in order to open1DE9176AD682FF.dll.

What does PeID propose AD29AA1B.bin being packed with?

Microsoft Visual C++ 6.0

Go to Tools -> Static -> PE Tools to open PeID. Click the three dots next to File: in order to AD29AA1B.bin.

Task 10: What is Obfuscation / Packing?

Packing is a form of obfuscation used by software developers to prevent the analysis of programs. Packing has legitimate and illegitimate uses: it can be used to protect intellectual property and to prevent malware analysts from reverse engineering and ultimately defending against malicious code.

What packer does PeID report file "6F431F46547DB2628" to be packed with?

FSG 1.0 -> dulek/xt

Go to Tools -> Static -> PE Tools to open PeID. Click the three dots next to File: in order to 6F431F46547DB2628.

Task 11: Visualizing the Differences Between Packed & Non-Packed Code

We can visualize what a packed executable looks like with IDA Freeware. When we open up a packed executable in the application, we notice that there are a few imports and small program execution flowchart. These are both indicators that the executable has been packed. Non-packed code tends to have more imports and a larger execution flowchart.

Task 12: Introduction to Strings

Microsoft's Sysinternals's strings program allows us to visualize the text contents of a program. The command strings <porgram> outputs the strings found in that program.

What is the URL that is outputted after using "strings"

practicalmalwareanalysis.com

Run strings "C:\Users\Analysis\Desktop\Tasks\Task 12\67844C01" and scroll up to find the URL.

Viewing all strings at once may not always be informative. To view just imports, we can use PE Explorer. Opening an executable in PE Explorer and navigating to View -> Imports allows us to view imports for that executable.

How many unique "Imports" are there?

5

Drag C:\Users\Analysis\Desktop\Tasks\Task 12\67844C01 into PE Explorer and then navigate to View -> Imports. Count the number of unique imports.

Task 13: Introduction to Imports

Tools like IDA Freeware, which can be used for both static and dynamic analysis, tend to be classified as either disassemblers or debuggers. Disassemblers reverse a compiled program from machine code to assembly code. Debuggers allow an analyzer to view the changes made at each step of an executing program.

How many references are there to the library "msi" in the "Imports" tab of IDA Freeware for "install.exe"

9

Open install.exe in IDA Freeware as a portable executable for 80386. Select the imports tab and then count the number of references.

Task 14: Practical Summary

Analyze ComplexCalculator.exe in the directory Tasks/Task 14 to answer the following questions.

What is the MD5 Checksum of the file?

F5BD8E6DC6782ED4DFA62B8215BDC429

Right click on the file to view its properties. Go to the File Hashes tab.

Does Virustotal report this file as malicious? (Yay/Nay)

Yay

Copy the MD5 Checksum into Virustotal.

Output the strings using Sysinternals "strings" tool. What is the last string outputted?

d:h:

Run cd C:\Users\Analysis\Desktop\Tools\SysinternalsSuite`. Then, run strings "C:\Users\Analysis\Desktop\Tasks\Task 14\ComplexCalculator.exe".

What is the output of PeID when trying to detect what packer is used by the file?

Nothing found

Open the file in PeID.


Home â‹… Work â‹… Thoughts

Last updated