Open in app

Sign in

Write

Sign in

TryHackMe Advent of Cyber [Day 12]-> Malware Analysis

Stephen Adesina
4 min readDec 12, 2022

--

Malware analysis is the process of studying and understanding malicious software in order to determine its behavior and potential impact on a system or network. This is typically done by security professionals in order to identify and mitigate the risks posed by malware.

There are several methods and tools used in malware analysis, including static analysis, dynamic analysis, and sandboxing. Static analysis involves examining the code of the malware without actually executing it, in order to identify its functionality and potential vulnerabilities. Dynamic analysis involves running the malware in a controlled environment in order to observe its behavior and determine its capabilities. Sandboxing involves creating a virtual environment in which the malware can be executed and observed without affecting the host system.

In today’s challenge, we will be looking at the malware contained in the document from the Email Analysis Challenge. Apparently, it was executed on the machine.

COMMON BEHAVIORS OF MALWARE.

It is important for us to know this because malware will often behave in similar ways to previously documented malware. Sometimes malware with a rare undocumented behavior comes up. These behaviors can get us far though. See OWASP’s top ten web vulnerabilities. Those behaviors are:

  1. Establishing network connections (both external and internal) for remote access or downloading payloads.
  2. Using internal connections for lateral movement within a network.
  3. Modifying registry keys to establish persistence on a system.
  4. Downloading or creating new files for successful execution.

WHAT IS A SANDBOX?

A sandbox is a virtual environment that isolates a program or process from the rest of the system, allowing it to be executed and observed without affecting the host system. This is often used in security applications, such as malware analysis, in order to safely run potentially dangerous programs and observe their behavior without risking harm to the host system. Sandboxing can provide a controlled environment for testing and analysis, allowing security professionals to study the behavior of malware and develop effective countermeasures.

STATIC AND DYNAMIC ANALYSIS

Static analysis is a method of studying malware by examining its code without actually running it. This allows for the identification of the malware’s properties, program flow, and strings. However, this method may not always provide complete information, so dynamic analysis is often used in conjunction with it.

Dynamic analysis involves running the malware in a controlled environment, such as a sandbox, in order to observe its behavior and effects. This allows for a more comprehensive understanding of the malware and its potential impact.

THE CHALLENGE (STATIC ANALYSIS)

  • Launch your VM. A windows VM should open after some minutes.
  • Follow the walkthrough teachings on how to use the tools.
  • With the Detect it Easy Tool, you will find the answers to questions 1 and 2
  • Open a cmd and change directories into Desktop/Malware Sample.
  • unpack the binary with the command below
upx -d mysterygift
  • Run CAPA on mysterygift to find the answers to questions 3 and 4.
capa mysterygift
  • The answer to question 3 will be in the 4th table and question 4 in the 2nd table.

THE CHALLENGE (DYNAMIC ANALYSIS)

  • Open Procmon as the writeup says
  • Set the Process Name is filter.
  • REname mysterygift to mysterygift.exe. then click on add
  • Open file explore and run the malware (ooooh)
  • Select only the registry, file, and network icons
  • You can disable file and network for now while we work on registry.
  • Disable RegQueryKey as shown. You might have to scroll down a bit to find one. Actually, disable everything but RegCreateKey and RegSetValue so it is easier.
  • Search for a RegCreateKey or RegSetValue operation. Whichever one you find, confirm that the other was performed on the same registry key
  • When you find it, double-click on the RegSetValue one. The Path is the answer to question 5
  • The data in the details part is the answer to question 6. It is a path to a folder but it is cut off. Navigate to the folder with the file explorer to find the real path.
  • Next, disable registry and click on the file icon in Procmon. Disable all the sefields: CreateFile, CreateFileMapping, QuerySecurityFile, QueryNameInformationFile, QueryBasicInformationFile, CloseFile, ReadFile
  • Don’t be scared if a lot of data disappears after you disable the CreateFile. The answer to question 7 is a file in the temp folder and a file in the startup folder. Check their names in Procmon. Separate them with a comma
  • Disable the file filter and click on network. Just scroll through you should find two domains easily. they are the answer to question 8. Don’t forget to use a comma.
  • Go back to Detect it Easy (DIE) and change the name of the file you are scanning to mysterygift.exe.
  • Press Enter and press The strings button.
  • In the filter bar down low, search for the .them domain name you found in question 8 and you will get the answer to question 9.

Woah, that was a rollercoaster. See you tomorrow

Secundum Allos Parakletos

Hacking
Malware Analysis
Tryhackme
Advent Of Cyber 2022
Cybersecurity

--

--

Stephen Adesina

Written by Stephen Adesina

2.3K Followers

I help SAAS founders gain customers through magnetic writing strategies. https://stephenadesina.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams