TryHackMe - MAL: Malware Introductory Room

In this post, we're going to solve the TryHackMe Malware Introductory room in the Cyber Defense path, this is the second room in the Malware Analysis category.

FYI, all the answers in this room will be marked.

Task 1 What is the Purpose of Malware Analysis?

In the first task, the room creator is talking about malware analysis and its purpose, they are saying that in malware analysis there are 4 important things to consider.

1. Point of Entry

2. Indicator of compromise

3. How does the malware perform?

4. (most importantly) can we ultimately prevent and/or detect further infection?

Task 2 Understanding Malware Campaigns

The creator is talking about the differences between a targeted attack and a mass campaign.

the difference is that in a targeted attack the attackers are targeting a specific victim, while in a mass campaign, they sort of throw a wide net to catch anyone who might fall for it.

the first question we get is

Q: What is the famous example of a targeted attack-Esque Malware that targeted Iran?

To answer this question I've simply searched "famous targeted virus attack against Iran" and the first thing that came up is a Wikipedia article about Stuxnet

Answer: Stuxnet

The second question we get is

Q: What is the name of the Ransomware that used the Eternalblue exploit in a "Mass Campaign" attack?

the answer to this can also be found on google, this time I searched "eternalblue + ransomware + mass campaign"

and after scrolling down a bit, it led me to an article about "wannacry", a famous ransomware attack from 2017.

Answer: Wannacry

Task 3 Identifying if a Malware Attack has Happened

in this task, we learn that most malware leaves lots of evidence behind it, which is good for us malware analyzers, and that The ultimate process of a malware attack can be broken down into a few broad steps:

1. Delivery

2. Execution

3. Maintaining persistence (not always the case)

4. Propagation (not always)

The following questions could be answered by just reading the task.

Q: Name the first essential step of a Malware Attack?

Answer: delivery

Q: Now name the second essential step of a Malware Attack?

Answer: execution

Q: What type of signature is used to classify remnants of infection on a host?

Answer: host-based signatures

Q: What is the name of the other classification of signature used after a Malware attack?

Answer: network-based signatures

Task 4 Static Vs. Dynamic Analysis

in this task we learn that there are two categories used when analyzing malware:

1. Static Analysis

2. Dynamic Analysis

very shortly, static analysis is where we can analyze the malware without running any code from the malware itself, and dynamic analysis is based on executing the malware and observing what it does.

Task 5 Discussion of Provided Tools & Their Uses

in this task, we are introduced to some of the tools used in static and dynamic analysis.

Task 6 Connecting to the Windows Analysis Environment (Deploy)

this task instructs you on how to connect to their RDP, but I'm gonna use the in-browser machine instead.

Task 7 Obtaining MD5 Checksums of Provided Files

so now things are starting to get a little more interesting, this task is showing us how malware can hide and masquerade as legitimate software.

so to find out the software's true intentions, we can check its MD5 hash and look it up on websites such as Virustotal

to find the answers to the following questions we need to open the file's properties and look at the hashes as shown here.

Q: The MD5 Checksum of aws.exe

Answer: D2778164EF643BA8F44CC202EC7EF157

Q: The MD5 Checksum of Netlogo.exe

Answer: 59CB421172A89E1E16C11A428326952C

Q: The MD5 Checksum of vlc.exe

Answer: 5416BE1B8B04B1681CB39CF0E2CAAD9F

Task 8 Now lets see if the MD5 Checksums have been analyzed before

in this task, we look up the hashes of the files on virustotal and see that they are all legit, the answers to all the questions are: Yay

Task 9 Identifying if the Executables are obfuscated / packed

this task is teaching us about hex values and how you shouldn't trust file extensions.

for example, the hex value for an executable is always "4D 5A", so someone could hide an executable in a .jpg extension

but you would be able to tell it is not an image by looking at its hex values.

so now by using the PeID tool, we can answer the following questions.

Q: What does PeID propose 1DE9176AD682FF.dll being packed with?

Answer: Microsoft Visual C++ 6.0 DLL

Q: What does PeID propose AD29AA1B.bin being packed with?

Answer: Microsoft Visual C++ 6.0

Task 10 What is Obfuscation / Packing?

So now we learn why some companies choose to obfuscate their software, mainly this is done to protect them from other people who might reverse engineer and steal their code, this is also called "packing".

Q: What packer does PeID report file "6F431F46547DB2628" to be packed with?

like our previous task, we can use the PeID tool to solve this.

Answer: FSG 1.0 -> dulek/xt

Task 11 Visualising the Differences Between Packed & Non-Packed Code

After we learned about the fantastic tool that is PeID, we now see that even though it is a great tool, it won't always help us with identifying a packer, especially when the authors have written it themselves.

but it can still be helpful by understanding what it doesn't show us - rather than what it does.

in the last task, we've seen that PeID can detect what packer has been used to obfuscate the code, but it will not automatically de-obfuscate them, as this is something we have to do on our own.

we can do that by using a tool called IDA Freeware.

when we open the same file using this software, we can find clues to find how the program was packed.

for example, if we go over the imports section, we notice that it only has 2 imports, which is a little odd, as a not obfuscated file will most likely have a lot more.

Task 12 Introduction to Strings

Strings are essentially the ASCII / Text contents of a program, this could be anything from passwords to bitcoin addresses in ransomware samples.

that means when we are analyzing the contents of these strings, we can sometimes paint a fairly indicative picture of the behaviors of the program.

Q: What is the URL that is outputted after using "strings"

to answer this question we can use the Sysinternals "Strings" tool.

we can do so by opening CMD and navigating to

C:\Users\Analysis\Desktop\Tools\SysinternalsSuite

then we can go ahead and use the tool with the sample file for this task by typing this in the CMD.

strings "C:\Users\Analysis\Desktop\Tasks\Task 12\67844C01"

you will now see lots of nonsense text, but if you scroll up a little bit, you should see the answer

Answer: practicalmalwareanalysis.com

moving on to question number 2

Q: How many unique "Imports" are there?

to answer this question we first have to realize that most software will have a huge amount of strings, and using the "strings" tool from Sysinternals may only display 10% of them.

this is where we move on to PE Explorer, this tool has a GUI so we won't be using CMD anymore.

start by opening the program and then import the task file.

now navigate to "View -> Imports" and you get the answer.

Answer: 5

Task 13 Introduction to Imports

We are now moving to the IDA Freeware tool.

this tool can be used for both static and dynamic analysis, and now we learn that there are two classifications of tools like IDA Freeware:

• Disassemblers

• Debuggers

disassemblers reverse the compiled code of a program from machine code to human-readable instructions (assembly), while debuggers essentially facilitate the execution of the program - where the analyzer can view the changes made throughout each step of the program.

so now that we're up to speed, we can solve the next question.

Q: How many references are there to the library "msi" in the "Imports" tab of IDA Freeware for "install.exe"

we start by launching the IDA Freeware and importing the file from Task 13, then Allow a few minutes for the executable to be decompiled and navigate to the "Imports" tab.

now scroll down, look for the "msi" tab and count how many tabs exist.

Answer: 9

Task 14 Practical Summary

For the final task, we are going to analyze the file "ComplexCalculator.exe" in the Task14 directory.

Q: What is the MD5 Checksum of the file?

we can solve this by simply going to the file's properties

Answer: F5BD8E6DC6782ED4DFA62B8215BDC429

Q: Does Virustotal report this file as malicious? (Yay/Nay)

if you go to virustotal.com and search the hash, you will see that it is reported as Trojan malware.

Answer: Yay

Q: Output the strings using Sysinternals "strings" tool.

What is the last string outputted?

we can solve this just like we did on Task 12, open the Sysinternals "strings" tool and check out the last string

Answer: d:h:

Q: What is the output of PeID when trying to detect what packer is used by the file?

We can solve this by doing what we did on task 9.

launch the PeID tool and import the file in the task 14 directory, now you will see that there weren't any packers found by the tool.

Answer: Nothing found *

Conclusion

Overall this was a really fun room, and for anyone interested in learning malware analysis, these are pretty much the first steps.

but there is a LOT more to learn and we will cover the next room "MAL: Strings" in the next post, so stay tuned!

And if you found this post helpful, you might want to get me a cup of coffee.