Tryhackme – MAL(Malware Introductory)

Tryhackme – MAL (Malware Introductory)

In this walkthrough, we will be going through Mal (Malware Introductory) room by Tryhackme. After completing this room, you will be able to perform static and dynamic analysis using various tools out there. This room will covers the basics of practical malware analysis and how we can approach a live malware sample in the wild, if it required anywhere in our journey. Malware analysis is mostly done by Digital Forensics Investigators and Blue Team people. So, if you want to join the defensive unit of the workforce, this room is for you. So, let’s get started.

MAL (Malware Introductory)

Task 1 – What is the Purpose of Malware Analysis?

What is the Purpose of Malware Analysis?

Task 2 – Understanding Malware Campaigns

Question 1 – What is the famous example of a targeted attack-esque Malware that targeted Iran?

Stuxnet

Question 2 – What is the name of the Ransomware that used the Eternalblue exploit in a “Mass Campaign” attack?

Wannacry

Understanding Malware Campaigns

Task 3 – Identifying if a Malware Attack has Happened

Question 1 – Name the first essential step of a Malware Attack?

Delivery

Question 2 – Now name the second essential step of a Malware Attack?

Execution

Question 3 – What type of signature is used to classify remnants of infection on a host?

Host-based Signatures

Question 4 – What is the name of the other classification of signature used after a Malware attack?

Network-based Signatures

Identifying if a Malware Attack has Happened

Task 4 – Static Vs. Dynamic Analysis

Question 1 – I understand the two broad categories employed when analysing potential malware!

Done

Static Vs. Dynamic Analysis

Task 5 – Discussion of Provided Tools & Their Uses

Question 1 – Lets proceed

Done

Discussion of Provided Tools & Their Uses

Task 6 – Connecting to the Windows Analysis Environment (Deploy)

Question 1 – I’ve logged in!

Done

RDP Login

Connecting to the Windows Analysis Environment (Deploy)

Task 7 – Obtaining MD5 Checksums of Provided Files

Question 1 – The MD5 Checksum of aws.exe

MD5 hash check

aws.exe hash check

D2778164EF643BA8F44CC202EC7EF157

Question 2 – The MD5 Checksum of Netlogo.exe

Netlogo.exe hash check

59CB421172A89E1E16C11A428326952C

Question 3 – The MD5 Checksum of vlc.exe

vlc.exe hash check

5416BE1B8B04B1681CB39CF0E2CAAD9F

Obtaining MD5 Checksums of Provided Files

Task 8 – Now lets see if the MD5 Checksums have been analysed before

Question 1 – Does Virustotal report this MD5 Checksum / file aws.exe as malicious? (Yay/Nay)

Virustotal aws.exe

Nay

Question 2 – Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? (Yay/Nay)

Virustotal Netlogo.exe

Nay

Question 3 – Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? (Yay/Nay)

Virustotal vlc.exe

Nay

Now lets see if the MD5 Checksums have been analysed before

Task 9 – Identifying if the Executables are obfuscated / packed

Question 1 – What does PeID propose 1DE9176AD682FF.dll being packed with?

PEiD to identify packer

1DE9176AD682FF.dll packer check

Microsoft Visual C++ 6.0 DLL

Question 2 – What does PeID propose AD29AA1B.bin being packed with?

AD29AA1B.bin packer

Microsoft Visual C++ 6.0

Identifying if the Executables are obfuscated / packed

Task 10 – What is Obfuscation / Packing?

Question 1 – What packer does PeID report file “6F431F46547DB2628” to be packed with?

6F431F46547DB2628

FSG 1.0 -> dulek/xt

What is Obfuscation / Packing?

Task 11 – Visualising the Differences Between Packed & Non-Packed Code

Question 1 – Cursed obfuscation!

Done

Visualising the Differences Between Packed & Non-Packed Code

Task 12 – Introduction to Strings

Question 1 – What is the URL that is outputted after using “strings”

strings check

strings check 2

practicalmalwareanalysis.com

Question 2 – How many unique “Imports” are there?

unique imports

unique imports

5

Introduction to Strings

Task 13 – Introduction to Imports

Question 1 – How many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe

IDA freeware

IDA freeware imports

9

Introduction to Imports

Task 14 – Practical Summary

Question 1 – What is the MD5 Checksum of the file?

MD5 hash check

F5BD8E6DC6782ED4DFA62B8215BDC429

Question 2 – Does Virustotal report this file as malicious? (Yay/Nay)

Virustotal check

Yay

Question 3 – What is the last string outputted?

Strings check

strings check 2

d:h:

Question 4 – What is the output of PeID when trying to detect what packer is used by the file?

packer detection

Nothing found *

Practical summary

Also read: Tryhackme – Crack the hash

Conclusion:

Conclusion

In this room, we started with the basics of Malware analysis and its types. Then we moved ahead and looked some of the commonly used tools in the task. Further, we first learned how to get an executable hash and get it verified via Virustotal. After that, we had a short dive in Obfuscation and packing techniques. Getting over it, we learned a few tricks to check the hidden strings within binaries. Lastly, we finished with imports and a practical exercise to test out our newly acquired skills. On that note, i will take your leave till the next episode, till then “Hack the planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top