MalBuster — TryHackMe Write-Up

BY : AHMED NASSER

Difficulty: Medium

This room aims to be a practice room for Dissecting PE Headers and Static Analysis 1. In this scenario, you will act as one of the Reverse Engineers that will analyse malware samples based on the detections reported by your SOC team.

Prerequisites

This room requires basic knowledge of Malware Static Analysis. We recommend going through the following rooms before attempting this challenge.

• Intro to Malware Analysis
• Dissecting PE Headers
• Basic Static Analysis

Scenario

You are currently working as a Malware Reverse Engineer for your organisation. Your team acts as a support for the SOC team when detections of unknown binaries occur. One of the SOC analysts triaged an alert triggered by binaries with unusual behaviour. Your task is to analyse the binaries detected by your SOC team and provide enough information to assist them in remediating the threat.

Investigation Platforms 1 :

The team has provided two investigation platforms, a FLARE VM and a REMnux VM. You may utilise the machines based on your preference.

If you prefer FLARE VM, you may start the machine attached to this task. Else, you may start the machine on the task below to start REMnux VM.

The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page.

You may also use the following credentials for alternative access via Remote Desktop (RDP):

Username: administrator

Password: letmein123!

IP Address: 10.10.138.126

Lastly, you may find the malware samples on C:\Users\Administrator\Desktop\Samples.

WE ADVISE YOU NOT TO DOWNLOAD THE MALWARE SAMPLES TO YOUR HOST.

Investigation Platform 2:

If you prefer REMnux, you may use the machine attached to this task by accessing it via the split-screen view.

Else, start the machine from the previous task to spin up the FLARE VM.

In addition, you can find the malware samples provided by the SOC team at /home/ubuntu/Desktop/Samples.

The machine will start in a split-screen view. In case the VM is not visible, use the blue Show Split View button at the top-right of the page.

WE ADVISE YOU NOT TO DOWNLOAD THE MALWARE SAMPLES TO YOUR HOST.

Good luck!

Q1-Based on the ARCHITECTURE of the binary, is malbuster_1 a 32-bit or a 64-bit application? (32-bit/64-bit)

• Open the binary file with pe-tree tool , and look at IMAGE_NT_HEADERS section , you will get the answer easily :

THE Answer : 32-bit

Q2-What is the MD5 hash of malbuster_1?

• easy one, just look at the top of page :

THE Answer : 4348da65e4aeae6472c7f97d6dd8ad8f

Q3-Using the hash, what is the number of detections of malbuster_1 in VirusTotal?

• Now search with hash in VirusTotal :

THE Answer : 57

Q4-Based on VirusTotal detection, what is the malware signature of malbuster_2 according to Avira?

• First we need the hash of this binary file , so just use md5sum commend or open it with pe-tree :

• Now go to VirusTotal and search with the hash
• Look at Avira at detection section :

THE Answer : HEUR/AGEN.1306860

Q5-malbuster_2 imports the function _CorExeMain. From which DLL file does it import this function?

• Go to details section in VirusTotal , and search for imports :

• OR go to IMAGE_NT_HEADERS > IMAGE_IMPORT_DESCRIPTOR section in pe-tree :

THE Answer : mscoree.dll

Q6-Based on the VS_VERSION_INFO header, what is the original name of malbuster_2?

• Go to VS_VERSION_INFO header , you will get the answer :

• OR get the answer from VirusTotal :

THE Answer : 7JYpE.exe

Q7-Using the hash of malbuster_3, what is its malware signature based on abuse.ch?

• First get the hash of malbuster_3 file :

• now go to abuse.ch platform https://urlhaus.abuse.ch/browse/ and search with the hash :

THE Anwer : trickbot

Q8-Using the hash of malbuster_4, what is its malware signature based on abuse.ch?

• First get the hash of the file :

• I go to abuse.ch but i don’t find any thing , so i go to VirusTotal :

THE Answer : ZlOADER

Q9-What is the message found in the DOS_STUB of malbuster_4?

• Go to DOS_STUB section in pe-tree :

THE Answer : !This Salfram cannot be run in DOS mode.

Q10- malbuster_4 imports the function ShellExecuteA. From which DLL file does it import this function?

• Go to IMAGE_IMPORT_DESCRIPTOR section and look to imported DLL :

THE Answer : shell32.dll

Q11-Using capa, which binary can log keystrokes?

• Run CAPA on all the binaries to see which binary contains this capability .

ubuntu@ip-10-10-138-126:~/Desktop/Samples$ capa malbuster_3

• in malbuster_3 you will get the answer :

THE Answer : malbuster_3

Q12-Using capa, what is the MITRE ID of the DISCOVERY technique used by malbuster_4?

• Easy , just use this comment :

ubuntu@ip-10-10-138-126:~/Desktop/Samples$ capa malbuster_4

• Now go to ATT&CK Technique section :

THE Answer : T1083

Q13-Which binary contains the string GodMode?

• I used strings commend to search recursively in all binary files :

ubuntu@ip-10-10-138-126:~/Desktop/Samples$ grep -r -l -E "GodMode"

THE Answer : malbuster_2

Q14-Which binary contains the string Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)?

• Same as above question , use strings commend :

ubuntu@ip-10-10-138-126:~/Desktop/Samples$ grep -r -l -E " Windows NT 5.1"

THE Answer : malbuster_1

THE END

BY : Ahmed Nasser