Day 6

If I can't find a nice malware to use, I'm not going.

PreviousDay 5 NextDay 7

Last updated 4 months ago

Was this helpful?

Day 6

If I can't find a nice malware to use, I'm not going.

Today, we’re diving into malware analysis, an essential skill for cybersecurity professionals.

We are testing this malware in a sandbox.

Sandboxing is a security practice in which you use an isolated environment, or a “sandbox,” for testing. In a sandbox, you can safely execute and analyze code without risking the integrity of the underlying application, system, or platform.

YARA is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns.

Now, let's begin,

Start the machine and wait for it to deploy, today we are working on a windows machine.

We are provided with and run the script named “JingleBells.ps1” in C:\Tools. It’s essentially a script that acts as an EDR (Endpoint Detection and Response), continuously monitoring system events and event logs, and notifies us if a registry key is being queried.

Navigate to the Tools directory:
```
cd C:\Tools
```
Execute the EDR script:
```
.\JingleBells.ps1
```

This script will monitor all the events.

While keeping the script running, open up file explorer and go to This PC → Local Disk (C:) → Tools → Malware. and execute MerryChristmas.exe

This triggers the YARA rules and a popup appears!

Extracting Strings with FLOSS

We also need to know that there are tools available that extract obfuscated strings from malware binaries. One such tool is Floss, a powerful tool developed by Mandiant that functions similarly to the Linux strings tool but is optimized for malware analysis, making it ideal for revealing any concealed details.

Let's try using FLOSS:

Execute the following command :

floss.exe C:\Tools\Malware\MerryChristmas.exe | Out-file C:\tools\malstrings.txt

floss.exe C:\Tools\Malware\MerryChristmas.exe: This command scans for strings in the binary MerryChrismas.exe. If any hardcoded variables were defined in the malware, Floss should find them.
The | symbol redirects the output of the command in front of it to the input of the command behind it.
Out-file C:\tools\malstrings.txt: We save the command results in a file called malstrings.txt.

Navigate to C:\tools\ and open malstrings.txt

Search for the string THM using Ctrl+F.

Questions

1.What is the flag displayed in the popup window after the EDR detects the malware?

A: THM{GlitchWasHere}

2.What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?

A: THM{HiddenClue}

Malware analysis involves understanding how malware behaves in sandboxed environments and how it tries to evade detection.
Tools like YARA, FLOSS are invaluable for detecting and analyzing malware patterns.

Stay tuned for Day 7, and happy hacking! 🎄

Thank you!

PreviousDay 5 NextDay 7

Last updated 4 months ago

Was this helpful?

Today, we’re diving into malware analysis, an essential skill for cybersecurity professionals.

We are testing this malware in a sandbox.

Now, let's begin,

Start the machine and wait for it to deploy, today we are working on a windows machine.

Navigate to the Tools directory:
```
cd C:\Tools
```
Execute the EDR script:
```
.\JingleBells.ps1
```

This script will monitor all the events.

While keeping the script running, open up file explorer and go to This PC → Local Disk (C:) → Tools → Malware. and execute MerryChristmas.exe

This triggers the YARA rules and a popup appears!

Extracting Strings with FLOSS

Let's try using FLOSS:

Execute the following command :

floss.exe C:\Tools\Malware\MerryChristmas.exe | Out-file C:\tools\malstrings.txt

floss.exe C:\Tools\Malware\MerryChristmas.exe: This command scans for strings in the binary MerryChrismas.exe. If any hardcoded variables were defined in the malware, Floss should find them.
The | symbol redirects the output of the command in front of it to the input of the command behind it.
Out-file C:\tools\malstrings.txt: We save the command results in a file called malstrings.txt.

Navigate to C:\tools\ and open malstrings.txt

Search for the string THM using Ctrl+F.

Questions

1.What is the flag displayed in the popup window after the EDR detects the malware?

A: THM{GlitchWasHere}

2.What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?

A: THM{HiddenClue}

Malware analysis involves understanding how malware behaves in sandboxed environments and how it tries to evade detection.
Tools like YARA, FLOSS are invaluable for detecting and analyzing malware patterns.

Stay tuned for Day 7, and happy hacking! 🎄

Thank you!