TryHackMe – Intro to Malware Analysis Walkthrough

In this walkthrough we will go step by step to answer the questions.

Task 1: Introduction

No questions here, so let’s keep moving.

Task 2: Malware Analysis

Question: Which team uses malware analysis to look for IOCs and hunt for malware in a network?

The answer can be found in the reading in “The purpose behind Malware Analysis” section. Specifically, the Threat Hunt bullet.

Threat Hunt teams analyze malware to identify IOCs, which they use to hunt for malware in a network.

Answer: threat hunt teams

Task 3: Techniques of malware analysis

Question 1: Which technique is used for analyzing malware without executing it?

This answer is in the reading. Check out the heading “Static Analysis”

When malware is analyzed without being executed, it is called Static Analysis.

Answer: Static Analysis

Question 2: Which technique is used for analyzing malware by executing it and observing its behavior in a controlled environment?

The answer is in the reading. See the “Dynamic Analysis” section.

Dynamic analysis techniques include running the malware in a VM

Answer: Dynamic Analysis

Task 4: Basic Static Analysis

Start up the machine. Follow the directions in the reading.

Question 1: In the attached VM, there is a sample named ‘redline’ in the Desktop/Samples directory. What is the md5sum of this sample?

This is covered in the reading. Open Terminal and change directories to Sample on the Desktop. Then run…

md5sum redline

Answer: ca2dc5a3f94c4f19334cc8b68f256259

Question 2: What is the creation time of this sample?

To answer this we will need to open the site VirusTotal. From here click on the search link, this will give you the ability to past in a hash. Use the one from question 1. After pasting this in you get a page with lots of info. Click on details to see when the create time of the file was.

Answer: 2020-08-01 02:44:18

Task 5: The PE file Header

Question 1: In the attached VM, there is a sample named ‘redline’ in the directory Desktop/Samples. What is the entropy of the .text section of this sample?

Time to use pecheck. Run this…

pecheck redline

Scroll back up to see the “.text entropy” line

Answer: 6.453919

Question 2: The sample named ‘redline’ has five sections. .text, .rdata, .data and .rsrc are four of them. What is the name of the fifth section?

The only one not mentioned that appears in the above screenshot is…

Answer: .nedata

Question 3: From which dll file does the sample named ‘redline’ import the RegOpenKeyExW function?

This is located in the same output a little further down, in the [IMAGE_IMPORT_DESCRIPTOR] section.

Answer: ADVAPI32.dll

Question 4: Check out the GUI-based Petree tool and see what information it shows. You can use the following command for using the pe-tree tool to analyze the ‘redline’ malware. (The pe-tree tool might take some time to initiate.)

In terminal type

pe-tree redline

Answer: No answer needed.

Task 6: Basic Dynamic Analysis

Question 1: Check the hash of the sample ‘redline’ on Hybrid analysis and check out the report generated on 9 Dec 2022. Check the Incident Response section of the report. How many domains were contacted by the sample?

Go to Hybrid Analysis. Go to Report Search. Paste in the redline hash and search. There is no longer a report for Dec 2022. In another write up I found that the answer is 8, but our answer has 2 digits. Process of elimination comes up with:

Answer: 17

Question 2: In the report mentioned above, a text file is accessed by the sample. What is the name of that text file?

Well since we can’t find record on Hybrid Analysis, we need to look at other write-ups. I found one that was right, with..

Answer: fj4ghga23_fsa.txt

Task 7: Anti-analysis techniques

Question 1: Which of the techniques discussed above is used to bypass static analysis?

The answer is in the reading under “Packing and Obfuscation”.

A packer obfuscates, compresses, or encrypts the contents of malware. These techniques make it difficult to analyze malware statically.

Answer: Packing

Question 2: A packer obfuscates, compresses, or encrypts the contents of malware. These techniques make it difficult to analyze malware statically.

The answer is in the reading. In the “Sandbox evasion” section. Read “Long Sleep calls”..

Long sleep calls: Malware authors know that sandboxes run for a limited time. Therefore, they program the malware not to perform any activity for a long time after execution. This is often accomplished through long sleep calls. The purpose of this technique is to time out the sandbox.

Answer: Long Sleep calls

Task 6: Conclusion

Answer: No answer needed.

One thought on “TryHackMe – Intro to Malware Analysis Walkthrough”

Comments are closed.