In this walkthrough we will go step by step to answer the questions.
Task 1: Introduction
No questions here, so let’s keep moving.
Task 2: Malware Analysis
Question: Which team uses malware analysis to look for IOCs and hunt for malware in a network?
The answer can be found in the reading in “The purpose behind Malware Analysis” section. Specifically, the Threat Hunt bullet.
Threat Hunt teams analyze malware to identify IOCs, which they use to hunt for malware in a network.
Answer: threat hunt teams
Task 3: Techniques of malware analysis
Question 1: Which technique is used for analyzing malware without executing it?
This answer is in the reading. Check out the heading “Static Analysis”
When malware is analyzed without being executed, it is called Static Analysis.
Answer: Static Analysis
Question 2: Which technique is used for analyzing malware by executing it and observing its behavior in a controlled environment?
The answer is in the reading. See the “Dynamic Analysis” section.
Dynamic analysis techniques include running the malware in a VM
Answer: Dynamic Analysis
Task 4: Basic Static Analysis
Start up the machine. Follow the directions in the reading.
Question 1: In the attached VM, there is a sample named ‘redline’ in the Desktop/Samples directory. What is the md5sum of this sample?
This is covered in the reading. Open Terminal and change directories to Sample on the Desktop. Then run…
Question 2: What is the creation time of this sample?
To answer this we will need to open the site VirusTotal. From here click on the search link, this will give you the ability to past in a hash. Use the one from question 1. After pasting this in you get a page with lots of info. Click on details to see when the create time of the file was.
Answer: 2020-08-01 02:44:18
Task 5: The PE file Header
Question 1: In the attached VM, there is a sample named ‘redline’ in the directory Desktop/Samples. What is the entropy of the .text section of this sample?
Time to use pecheck. Run this…
Scroll back up to see the “.text entropy” line
Question 2: The sample named ‘redline’ has five sections. .text, .rdata, .data and .rsrc are four of them. What is the name of the fifth section?
The only one not mentioned that appears in the above screenshot is…
Question 3: From which dll file does the sample named ‘redline’ import the RegOpenKeyExW function?
This is located in the same output a little further down, in the [IMAGE_IMPORT_DESCRIPTOR] section.
Question 4: Check out the GUI-based Petree tool and see what information it shows. You can use the following command for using the pe-tree tool to analyze the ‘redline’ malware. (The pe-tree tool might take some time to initiate.)
In terminal type
Answer: No answer needed.
Task 6: Basic Dynamic Analysis
Question 1: Check the hash of the sample ‘redline’ on Hybrid analysis and check out the report generated on 9 Dec 2022. Check the Incident Response section of the report. How many domains were contacted by the sample?
Go to Hybrid Analysis. Go to Report Search. Paste in the redline hash and search. There is no longer a report for Dec 2022. In another write up I found that the answer is 8, but our answer has 2 digits. Process of elimination comes up with:
Question 2: In the report mentioned above, a text file is accessed by the sample. What is the name of that text file?
Well since we can’t find record on Hybrid Analysis, we need to look at other write-ups. I found one that was right, with..
Task 7: Anti-analysis techniques
Question 1: Which of the techniques discussed above is used to bypass static analysis?
The answer is in the reading under “Packing and Obfuscation”.
A packer obfuscates, compresses, or encrypts the contents of malware. These techniques make it difficult to analyze malware statically.
Question 2: A packer obfuscates, compresses, or encrypts the contents of malware. These techniques make it difficult to analyze malware statically.
The answer is in the reading. In the “Sandbox evasion” section. Read “Long Sleep calls”..
Long sleep calls: Malware authors know that sandboxes run for a limited time. Therefore, they program the malware not to perform any activity for a long time after execution. This is often accomplished through long sleep calls. The purpose of this technique is to time out the sandbox.
Answer: Long Sleep calls
Task 6: Conclusion
Answer: No answer needed.