Solving TryHackMe’s Malware and Reverse Engineering Challenges — MalBuster
This is straightforward no spoiler writeup for TryHackMe’s MalBuster.
Q1 — Based on the ARCHITECTURE of the binary, is malbuster_1 a 32-bit or a 64-bit application? (32-bit/64-bit)
Open the binary is PEStudio and observe the CPU value in dashboard
Q2 — What is the md5 hash of the malbuster_1
It can be found in PEStudio while solving above to save time.
Q3 — Using the hash, what is the number of detections of malbuster_1 in VirusTotal?
Copy the hash of malbuster_1 from PEStudio and search on VirusTotal to get the answer.
Q4 — Based on VirusTotal detection, what is the malware signature of malbuster_2 according to Avira?
Either open the malbuster_2 in PEStudio to get its md5hash or get it via cmd and search that hash in Virus Total and look for Avira.
Q5 — malbuster_2 imports the function _CorExeMain. From which DLL file does it import this function?
In Libraries or Functions section look for ‘_CoreExeMain’ and look for it’s library.
Q6 — Based on the VS_VERSION_INFO header, what is the original name of malbuster_2?
In PEStudio look in the version section to get the Original File Name
Q7 — Using the hash of malbuster_3, what is its malware signature based on abuse.ch?
Get the Hash of the malbuster_3. Navigate to https://bazaar.abuse.ch/ and search it using sha256:<hash_of_malbuster_3>.
Q8 — Using the hash of malbuster_4, what is its malware signature based on abuse.ch?
Get the Hash of the malbuster_4. Navigate to https://bazaar.abuse.ch/ and search it using sha256:<hash_of_malbuster_4>.
Q9 — What is the message found in the DOS_STUB of malbuster_4?
For this question, I am using PEBear, but you can still use PEStudio if you want. Open this binary in PEBear and analyze the DOS_STUB for any plain text message.
Q10 — malbuster_4 imports the function ShellExecuteA. From which DLL file does it import this function?
This one is quite challenging, here the binary does not import the functions via their name, so we need to use different tool than PEStudio to get the proper imports.
Here I am using CFFExplorer. Open the malbuster_4 in CFF Explorer and click on Import Directory. From their click on each library to see which library contains the ShellExecuteA Function.
Q11 — Using capa, how many anti-VM instructions were identified in malbuster_1?
Navigate to binary and folder in cmd and execute — capa malbuster_1 and look for execute anti-vm instructions
Q12— Using capa, which binary can log keystrokes?
Run capa on each binary and analyze the CAPABILITY section and look for keystrokes
Q13 — Using capa, what is the MITRE ID of the DISCOVERY technique used by malbuster_4?
Run capa malbuster_4 and look for DISCOVERY in ATT&CK Tactic section.
Q14 — Which binary contains the string GodMode?
To solve this challenge quickly, save the output floss command to a txt file and then open the file in notepad and then search the term.
For Example, here after running floss malbuster_* > out.txt I am opening ‘out.txt’ in notepad to quickly search the GodMode term.
Repeat above for each binary until the string is found.
Q15 — Which binary contains the string Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)?
Increase the minimum length of string to be fetched in floss’s output to reduce the size of output and quickly find this string as shown below:
Repeat above for all binaries until you found the binary with the string.
And we solved all of the questions. If you found any mistake or have any suggestion, please reach out to me —
Found above post informative? Learned something new? Why not support me. Kindly support my work via ko-fi -> https://ko-fi.com/zinjacoder
