MAL: Malware Introductory TryHackMe Walkthrough

Rich
4 min readNov 19, 2023

--

TL;DR Walkthrough of the TryHackMe MAL: Malware Introductory room, part of the Cyber Defense Pathway.

THM Walkthroughs:

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

I saw a couple other writeups on Google, but most of them only had the questions & answers without explaining how to find the information. Hence I decided I’d bother writing up what we did.

The first few tasks just involve some reading and or Googling. The last few tasks are hands on. If I skip a Task here it’s because all you have to do is hit a button, there’s no answer needed.

On an admin note, I have been having issues with TryHackMe’s US VPN servers lately. OpenVPN would connect, then immediately show an error code. TryHackMe’s website would show me as connected but I couldn’t even ping THM’s VM. As a result I have been using their EU servers. One can do this simply by downloading the *.ovpn files from here. I downloaded the ones for my account into a folder on Kali and simply saved them with filenames denoting the geographical location.

So without further ado let’s get into it.

— — Task 2 — -

What is the famous example of a targeted attack-esque Malware that targeted Iran?

Stuxnet

What is the name of the Ransomware that used the Eternalblue exploit in a “Mass Campaign” attack?

Wannacry

— — Task 3 — -

Name the first essential step of a Malware Attack?

Delivery

Now name the second essential step of a Malware Attack?

Execution

What type of signature is used to classify remnants of infection on a host?

Host-Based Signatures

What is the name of the other classification of signature used after a Malware attack?

Network-Based Signatures

— — Task 7 — -

As always start by connecting with xfreerdp.

xfreerdp /v:10.10.244.56 /u:analysis /p:Tryhackme123! /dynamic-resolution
Set-Location 'C:\users\Analysis\Desktop\Tasks\Task 7'
Get-ChildItem
Get-FileHash .\* -Algorithm MD5

The MD5 Checksum of aws.exe

D2778164EF643BA8F44CC202EC7EF157

The MD5 Checksum of Netlogo.exe

59CB421172A89E1E16C11A428326952C

The MD5 Checksum of vlc.exe

5416BE1B8B04B1681CB39CF0E2CAAD9F

Task 8 is all ‘Nay’. Just copy/paste the hashes into VirusTotal.

— — Task 9 — -

What does PeID propose 1DE9176AD682FF.dll being packed with?

What does PeID propose AD29AA1B.bin being packed with?

I had to search for PeID as THM didn’t mention where it was saved.

Get-ChildItem -Path C:\ "PEiD.exe" -Recurse -ErrorAction SilentlyContinue

..\..\..\Documents\PEiD-0.95–20081103\PEiD.exe '..\Task 9\AD29AA1B.bin'

We got Microsoft Visual C++ 6.0 DLL for both.

— — Task 10 — -

What packer does PeID report file “6F431F46547DB2628” to be packed with?

..\..\..\Documents\PEiD-0.95–20081103\PEiD.exe ‘..\Task 10\6F431F46547DB2628’

FSG 1.0 -> dulek/xt

— — Task 12 — -

What is the URL that is outputted after using “strings”

Strings.exe refused to run properly in PowreShell_ISE, so I had to use PowerShell.exe for this question. I was not amused. I have gotten quite used to command completion, suggestions for command options that I can just Tab to complete, any syntax errors of mine getting underlined in red, etc etc.

PowerShell.exe
C:\Users\\Analysis\Desktop\Tools\SysinternalsSuite\strings.exe “C:\Users\Analysis\Desktop\Tasks\Task 12\67844C01” | Select-String “.com”

practicalmalwareanalysis.com

How many unique “Imports” are there?

Have to use the GUI PE Explorer to open the file -> View -> Imports

5

— — Task 13 — -

How many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe”

Open in IDA -> Imports tab -> Ctrl + F “msi”

9

— — Task 14 — -

What is the MD5 Checksum of the file?

Set-Location 'C:\Users\Analysis\Desktop\Tasks\Task 14'

Get-FileHash .\ComplexCalculator.exe -Algorithm MD5

F5BD8E6DC6782ED4DFA62B8215BDC429

Does Virustotal report this file as malicious? (Yay/Nay)

Yay

Output the strings using Sysinternals “strings” tool.

What is the last string outputted?

PowerShell.exe
C:\Users\\Analysis\Desktop\Tools\SysinternalsSuite\strings.exe “C:\Users\Analysis\Desktop\Tasks\Task 14\ComplexCalculator.exe” | Select-Object -Last 1

d:h:

What is the output of PeID when trying to detect what packer is used by the file?

Nothing found

Summary

This was a good little room. I should really get back to writing my boring paper for college now, I needed to take a break and do something in the CLI. TryHackMe is always good for that. I also need to finish this pathway eventually as I am going to use it as the last CPEs I need to renew some certifications.

On a happy note, I just got back into the TryHackMe Top 1% following the change in how they calculate this.

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.