Welcome back to yet another blog. It's day 12 and we have covered all the walkthroughs till day 11. This challenge is going to be very amazing. So without any delay, Let's move to day 12.
Forensic McBlue to the REVscue!
This room is mainly focusing on malware analysis. A prominent word in cybersecurity, malware is software created to harm a computer or an entire network. Threat actors develop malware to achieve specific goals, such as infiltrating networks, breaching sensitive data, or disrupting operational services.
If you were to inspect several malware samples in the wild, a typical pattern arises, making analysing other samples easier with experience. Knowing these common behaviours gives us an idea of what to look for on the defensive side, such as:
Network connections - Malware tends to establish either external network connections or internal connections. External connections allow remote access or for downloading staged payloads from a threat actors' infrastructure. Meanwhile, internal connections allow for lateral movement, a technique used to extend access to other hosts or applications within the network.
Registry key modifications - Malware typically uses registry keys to establish persistence, a technique used by threat actors to discreetly maintain long-term access to a system despite disruptions. A good example is Registry Run Keys, which allows binaries to be automatically executed when a user logs in or the machine boots up.
File manipulations - Malware also tends to download (one of the common reasons to establish network connections) or create new files needed for its successful execution.
Only run the malware sample in a controlled environment that prevents potential compromise of unwanted assets.
There are two types of Analysis: Static and Dynamic Analysis.
In static analysis, we try to analyse the malware without executing it. his method mainly focuses on profiling the binary with its readable information, such as its properties, program flow and strings.
In dynamic analysis, we execute the malware in a controlled environment such as sandbox. Now let's move to today's task.
Question1
For this, we are going to use a simple tool Detect It Easy (DIE). The malware is inside the malware sample folder. Right-click on the malware.
Open the tool.
You can see the answer in mode parameter.
Question2
As you can see, the packer here is UPX. Packing malware is a common technique used by malware developers to compress, obfuscate or encrypt the binary. With this, contents such as significant strings and headers will not be immediately visible to Static Analysis Tools.
Question3
For answering this question, the tool is CAPA. CAPA detects capabilities in executable files. May it be for the installation of a service, invocation of network connections, registry modifications and such. Before using this tool, make sure to unpack it using UPX. Let's unpack this. Open your command prompt and move inside the malware sample folder by cd command.
The syntax is: upx -d mysterygift
Let's use CAPA now. The syntax will be: capa mysterygift
So we got some results.
In the second line, you can see compiled with Nim. We got our answer.
Question4
You can see two techniques under Discovery.
Question5
Till now, we were doing static analysis. Now let's move to dynamic analysis. Before this make sure to add .exe extension in your malware file so that we can execute it.
The tool we are going to use now is ProcMon.
Open this tool.
We need to add the filter.
Add the filter by filling in this parameter. Click on add. Then ok.
Go to show registary activity. You can see nothing is happening. But as soon as you click on your malware, many processes starts popping up.
This is what we do in dynamic analysis. We are executing the malware in a controlled environment.
Now right-click on a process and click on exclude RegOpenKey. Same way exclude RegQueryValue, RegQueryKey ,RegCloseKey
You can see only these processes are left.
Go to the \Run process. See the path.
This is the answer to our question.
Question6
For this go to run(default) process and see the data parameter.
Question7
Check show file system icon in the same tool.
Now right-click and click on include create file.
In the \administration folder. you can see two files: test.jpg and wishes.bat
We got the answer.
Question8
For answering this question, we are going to use floss tool .FLOSS is an open-source tool to automatically detect, extract, and decode obfuscated strings in Windows Portable Executable files. The syntax here will be :
floss -n 6 mysterygift.exe | grep http://
We got the answer.
Question9
The complete URL can see in the above image only.
Question10
They are recommending you to complete Intro to Malware Analysis or Dissecting PE Headers room .
Congratulations !! we completed this task. New task will be added tomorrow. Till then you can follow me here for upcoming blogs on the advent of cyber 2022. In the end, you will get a certificate from tryhackme for completing this challenge.
Keep learning and keep spreading Knowledge.