TL;DR Walkthrough of the TryHackMe MAL: Malware Introductory room, part of the Cyber Defense Pathway.
THM Walkthroughs:
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
I saw a couple other writeups on Google, but most of them only had the questions & answers without explaining how to find the information. Hence I decided I’d bother writing up what we did.
The first few tasks just involve some reading and or Googling. The last few tasks are hands on. If I skip a Task here it’s because all you have to do is hit a button, there’s no answer needed.
On an admin note, I have been having issues with TryHackMe’s US VPN servers lately. OpenVPN would connect, then immediately show an error code. TryHackMe’s website would show me as connected but I couldn’t even ping THM’s VM. As a result I have been using their EU servers. One can do this simply by downloading the *.ovpn files from here. I downloaded the ones for my account into a folder on Kali and simply saved them with filenames denoting the geographical location.
So without further ado let’s get into it.
— — Task 2 — -
What is the famous example of a targeted attack-esque Malware that targeted Iran?
Stuxnet
What is the name of the Ransomware that used the Eternalblue exploit in a “Mass Campaign” attack?
Wannacry
— — Task 3 — -
Name the first essential step of a Malware Attack?
Delivery
Now name the second essential step of a Malware Attack?
Execution
What type of signature is used to classify remnants of infection on a host?
Host-Based Signatures
What is the name of the other classification of signature used after a Malware attack?
Network-Based Signatures
— — Task 7 — -
As always start by connecting with xfreerdp.
xfreerdp /v:10.10.244.56 /u:analysis /p:Tryhackme123! /dynamic-resolution
Set-Location 'C:\users\Analysis\Desktop\Tasks\Task 7'
Get-ChildItem
Get-FileHash .\* -Algorithm MD5
The MD5 Checksum of aws.exe
D2778164EF643BA8F44CC202EC7EF157
The MD5 Checksum of Netlogo.exe
59CB421172A89E1E16C11A428326952C
The MD5 Checksum of vlc.exe
5416BE1B8B04B1681CB39CF0E2CAAD9F
Task 8 is all ‘Nay’. Just copy/paste the hashes into VirusTotal.
— — Task 9 — -
What does PeID propose 1DE9176AD682FF.dll being packed with?
What does PeID propose AD29AA1B.bin being packed with?
I had to search for PeID as THM didn’t mention where it was saved.
Get-ChildItem -Path C:\ "PEiD.exe" -Recurse -ErrorAction SilentlyContinue
..\..\..\Documents\PEiD-0.95–20081103\PEiD.exe '..\Task 9\AD29AA1B.bin'
We got Microsoft Visual C++ 6.0 DLL for both.
— — Task 10 — -
What packer does PeID report file “6F431F46547DB2628” to be packed with?
..\..\..\Documents\PEiD-0.95–20081103\PEiD.exe ‘..\Task 10\6F431F46547DB2628’
FSG 1.0 -> dulek/xt
— — Task 12 — -
What is the URL that is outputted after using “strings”
Strings.exe refused to run properly in PowreShell_ISE, so I had to use PowerShell.exe for this question. I was not amused. I have gotten quite used to command completion, suggestions for command options that I can just Tab to complete, any syntax errors of mine getting underlined in red, etc etc.
PowerShell.exe
C:\Users\\Analysis\Desktop\Tools\SysinternalsSuite\strings.exe “C:\Users\Analysis\Desktop\Tasks\Task 12\67844C01” | Select-String “.com”
practicalmalwareanalysis.com
How many unique “Imports” are there?
Have to use the GUI PE Explorer to open the file -> View -> Imports
5
— — Task 13 — -
How many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe”
Open in IDA -> Imports tab -> Ctrl + F “msi”
9
— — Task 14 — -
What is the MD5 Checksum of the file?
Set-Location 'C:\Users\Analysis\Desktop\Tasks\Task 14'
Get-FileHash .\ComplexCalculator.exe -Algorithm MD5
F5BD8E6DC6782ED4DFA62B8215BDC429
Does Virustotal report this file as malicious? (Yay/Nay)
Yay
Output the strings using Sysinternals “strings” tool.
What is the last string outputted?
PowerShell.exe
C:\Users\\Analysis\Desktop\Tools\SysinternalsSuite\strings.exe “C:\Users\Analysis\Desktop\Tasks\Task 14\ComplexCalculator.exe” | Select-Object -Last 1
d:h:
What is the output of PeID when trying to detect what packer is used by the file?
Nothing found
Summary
This was a good little room. I should really get back to writing my boring paper for college now, I needed to take a break and do something in the CLI. TryHackMe is always good for that. I also need to finish this pathway eventually as I am going to use it as the last CPEs I need to renew some certifications.
On a happy note, I just got back into the TryHackMe Top 1% following the change in how they calculate this.