TryHackMe - MAL: REMnux - The Redux
- Hacking By Doing
- Jul 29, 2022
- 5 min read
In this post, we will learn about REMnux, a Linux toolkit for reverse engineering.
As this room is based on more advanced subjects, you should first review the last two walkthroughs, Malware Introductory and MAL: strings.
Task 1 1. Introduction
In this room, we will be doing the following:
Identifying and analyzing malicious payloads of various formats embedded in PDFs, EXE, and Microsoft Office Macros (the most common method that malware developers use to spread malware today)
Learning how to identify obfuscated code and packed files - and in turn - analyze them.
Analyzing the memory dump of a PC that became infected with the Jigsaw ransomware in the real-world using Volatility.
All the answers to this room will be marked.
Task 2 2. Deploy
This task explains how to connect with RDP, but I will be using the machine in-browser, so I'll skip it.
Task 3 3. Analysing Malicious PDFs
Now we learn about PDFs; malicious PDFs can hide all types of codes that can be executed without the user's knowledge, including Javascript, Python, executables, and Powershell Shellcode.
We can use peepdf to analyze the file to determine the presence of Javascript, so let's start with the command: "peepdf notsuspicious.pdf"
As we see here, we can confirm a javascript code exists in this PDF.
To see how it works, we can look at the "/OpenAction (1)" function, which means a code will run as soon as you launch this PDF.
To extract the code, we can use the peepdf extract module.
Start with the following command.
"echo 'extract js > javascript-from-demo_notsuspicious.pdf' > extracted_javascript.txt"
to create a script file for peepdf to use.
The script will extract all javascript via extract js and pipe > the contents into "javascript-from-notsuspicious.pdf"
We now need to tell peepdf the name of the script (extracted_javascript.txt) and the PDF file that we want to extract from (notsuspicious.pdf):
"peepdf -s extracted_javascript.txt notsuspicious.pdf"
To recap: "extracted_javascript.txt" is our script, where "notsuspicious.pdf" is the original PDF file that we think is malicious.
The file named "javascript-from-notsuspicious.idf" is the output; this file contains our extracted Javascript code; we can cat this to see the contents.
And that we have the first flag, we can answer all the questions in this task.
Q: How many types of categories of "Suspicious elements" are there in "notsuspicious.pdf"
we can see three categories; /Openaction, /js, and /JavaScript.
Answer: 3
Q: Use peepdf to extract the javascript from "notsuspicious.pdf". What is the flag?
Answer: THM{Luckily_This_Isn't_Harmful}
Q: How many types of categories of "Suspicious elements" are there in "advert.pdf"
To answer this, we can perform the same actions we did on the previous file, and as we see here, there are six categories.
Answer: 6
Q: Now use peepdf to extract the javascript from "advert.pdf". What is the value of "cName"?
Once we extract the javascript, we can see the answer.
Answer: notsuspicious
Also, if you open the file in hex editor, it contains an executable!
And if you look at the strings using the Sysinternals tools, you'd see that this file also contains an RCE, and we can find the attacker's IP and port!
Task 4 4. Analysing Malicious Microsoft Office Macros
Now we learn to use the Linux tool "vmonkey" to analyze macros without launching them; we are then given two files to be examined by us.
Q: What is the name of the Macro for "DefinitelyALegitInvoice.doc"
Go ahead and type the command
"vmonkey DefinitelyALegitInvoice.doc"
and scroll down to see the name
Answer: DefoLegit
Q: What is the URL the Macro in "Taxes2020.doc" would try to launch?
Type the same command but replace the previous file with "Taxes2020.doc" and scroll down.
Answer: https://tryhackme.com/notac2cserver.sh
Task 5 5. I Hope You Packed Your Bags
Let's discuss entropy; entropy is a measure of randomness within a data set.
At its very most straightforward, file entropy is a rating that scores how random the data within a Portable Executable file is on a scale of 0 to 8.
The higher the score, the more random the data is.
For example, encrypted files will have a very high entropy score, whereas files with large chunks of the same data will have a low entropy score.
Malware authors use encryption or packing techniques (as we know from the Malware Introductory walkthrough) to obfuscate their code and bypass anti-viruses; because of this, the files will have high entropy score.
So, how does packing work?
Packing is done by taking an executable, modifying it using a packer, and then outputting it to a new executable.
The new executable would then be compressed or obfuscated.
Professional software developers pack their programs to reduce the program's size and protect their work, but malware creators use packing to make their code impossible to detect.
Executables have an entry point, which is the location in the software where the first pieces of code are executed; when an executable is packed, it must unpack itself before any other code; this is why the packers change the entry point from its original location to the unpacking stub.
The unpacking stub will then unpack the executables to their original state. Once the program is unpacked, the entry point will relocate back to its original location to execute the code.
Only at this point a malware analyst can study the executable as it is now in its original form.
How to tell if a software has been packed?
Learning how to unpack software manually is out of scope for this room. However, these tips could help us.
• Packed files will have a high entropy
• There are very few imports; packed files may only have "GetProcAddress" and "LoadLibrary"
• The executable may have sections named after specific packers such as UPX.
To answer this task's questions, go over what we uncovered.
Q: What is the highest file entropy a file can have?
Answer: 8
Q: What is the lowest file entropy a file can have? Answer: 0
Q: Name a common packer that can be used for applications?
Answer: UPX
Task 6 6. How's Your Memory?
Now, we will analyze the memory dump of a Windows PC infected with the jigsaw ransomware.
In other scenarios, we would use the imageinfo plugin to help determine the profile most suitable with the syntax of "volatility -f Win7-Jigsaw.raw imageinfo".
However, this could take hours to complete on a large memory dump on an Instance like that attached to the room. So instead, the room creator has provided it for you.
Beginning The Investigation
Viewing What Processes Were Running at Infection
We can list the processes that were running via "pslist"
"volatility -f Win7-Jigsaw.raw --profile=Win7SP1x64 pslist"
Luckily we've got quite a shortlist of processes, so we can start to narrow down between the system processes and regular applications, notice the google chrome process exists because it was running at the time of the memory dump.
It can be unnerving at first, but as you dwell deeper in malware analysis, you will find this easier to do; in this case, it's process "drpbx.exe" with a PID of 3704.
Now that we've identified the abnormal process, we can begin analyzing.
When the application is unpacked or in its most revealing state, it's perfect for analysis.
DLLs are very similar to executables. However, they cannot be directly executed. Moreover, multiple applications can interact with a DLL all at the same time. We can list the DLLs that "drpbx.exe" references with "dlllist":
What stands out initially is the "CRYPTBASE.dll"
This DLL is a Windows library that allows applications to use cryptography.
While many use it legitimately, We've found enough evidence to suspect ransomware through memory forensics & research.
Task 7 7. Finishing Up
In this task, the room creator suggests we go back and use alternative tools to the ones he chose, as there is always more than one way to analyze malware and to spend some more time getting familiarized with Volatility.
Task 8 8. References & Further Reading Material
You can use these links if you want to keep reading on this subject ( as you should ).
And for the cheatsheets.
Conclusion
This room was very informative and incredibly recommended to beginners in the reverse engineering & malware analysis world; big thanks to TryHackMe and the room creator "cmnatic."
I hope you all found this room useful, and if you did, I'd appreciate a cup of coffee, or maybe just a share instead.
Thanks for reading, and stay tuned for more exciting posts!
