This one seems to be a room more focused on Malware Analysis rather than artifacts left behind. I’m actually pretty interested in Malware Analysis too, so hopefully this will give me some basic idea and steps on how to proceed.
Task 2 Malware Analysis
1: Which team uses malware analysis to look for IOCs and hunt for malware in a network?
The answer can be found in the reading.
Answer: Threat hunt team
Task 3 Techniques of malware analysis
1: Which technique is used for analyzing malware without executing it?
The answer can be found in the reading.
Answer: Static analysis
2: Which technique is used for analyzing malware by executing it and observing its behavior in a controlled environment?
The answer can be found in the reading.
Answer: Dynamic analysis
Task 4 Basic Static Analysis
1: In the attached VM, there is a sample named ‘redline’ in the Desktop/Samples directory. What is the md5sum of this sample?
We’re going to navigate to where the Samples are. I did this with cd ~/Desktop/Samples/ . Now we should be where the files are at. Type md5sum redline and it should output the md5 hash for redline.
You can highlight the hash and use Shift+Ctrl+C to copy it and then paste it with Ctrl+V to the answer page.
Answer: ca2dc5a3f94c4f19334cc8b68f256259
2: What is the creation time of this sample?
I copied the hash and went over to VirusTotal. I pasted the md5 hash and searched. Head over to the Details section.
Scroll down a little and you’ll come across the history. Creation time can be found there.
Answer: 2020–08–01 02:44:18 UTC
Task 5 The PE file Header
1: In the attached VM, there is a sample named ‘redline’ in the directory Desktop/Samples. What is the entropy of the .text section of this sample?
Simply type pecheck redline and then look for “.text entropy.”
Answer: 6.453919
2: The sample named ‘redline’ has five sections. .text, .rdata, .data and .rsrc are four of them. What is the name of the fifth section?
This can be found in the same section as the entropy value we just looked at.
Answer: .ndata
3: From which dll file does the sample named ‘redline’ import the RegOpenKeyExW function?
I typed in pecheck redline | grep -i “regopenkey” to help display results that has “regopenkey” in it. Grep has been really helping me a lot!
Answer: ADVAPI32.dll
Task 6 Basic Dynamic Analysis
1: Check the hash of the sample ‘redline’ on Hybrid analysis and check out the report generated on 9 Dec 2022. Check the Incident Response section of the report. How many domains were contacted by the sample?
Head over to HybridAnalysis and input the hash and then search.
Look for the result that matches the date we need.
Once you click it, you should be presented with this information immediately. Scroll down a little to look for the number of domains.
Answer: 17
2: In the report mentioned above, a text file is accessed by the sample. What is the name of that text file?
Since it is a text file, I just searched for a .txt file with Ctrl+F and inputting .txt.
Answer: fj4ghga23_fsa.txt
Task 7 Anti-analysis techniques
1: Which of the techniques discussed above is used to bypass static analysis?
The answer can be found in the reading.
Answer: packing
2: Which technique discussed above is used to time out a sandbox?
The answer can be found in the reading.
Answer: long sleep calls
Thoughts:
This was a pretty light room. I’m pretty interested in the Malware Analysis series in THM. I think I saw it being mentioned when I was reading this room and browsing related rooms. I think I’ll be adding HybridAnalysis into my bookmarks so I can read what some malware does occasionally.
I’m done with the entire THM SOC Level 1 Learning Module as I’ve already done the phishing rooms before doing my write-ups. I plan on redoing the ones I did pre-write-up to complete my write-up collection too! It’ll probably be later in the future but before the end of the year (2023)!