Malbuster
TryHackMe Challenge Walkthrough
Challenge Overview
You are currently working as a Malware Reverse Engineer for your organisation. Your team acts as a support for the SOC team when detections of unknown binaries occur. One of the SOC analysts triaged an alert triggered by binaries with unusual behaviour. Your task is to analyse the binaries detected by your SOC team and provide enough information to assist them in remediating the threat.
The team has provided two investigation platforms, a FLARE VM and a REMnux VM. You may utilise the machines based on your preference.
If you prefer FLARE VM, you may start the machine attached to this task. Else, you may start the machine on the task below to start REMnux VM.
Lastly, you may find the malware samples on C:\Users\Administrator\Desktop\Samples.
WE ADVISE YOU NOT TO DOWNLOAD THE MALWARE SAMPLES TO YOUR HOST.
Tools Used
- capa
- pe-tree
- VirusTotal
- abuse.ch
Q & A
Q1 Based on the ARCHITECTURE of the binary, is malbuster_1 a 32-bit or a 64-bit application? (32-bit/64-bit)
Answer
32-bit
Q2 What is the MD5 hash of malbuster_1?
Answer
4348da65e4aeae6472c7f97d6dd8ad8f
Q3 Using the hash, what is the popular threat label of malbuster_1 according to VirusTotal?
Answer
trojan.zbot/razy
Q4 Based on VirusTotal detection, what is the malware signature of malbuster_2 according to Avira?
Answer
HEUR/AGEN.1306860
Q5 malbuster_2 imports the function _CorExeMain. From which DLL file does it import this function?
pe-tree malbuster_2
Answer
mscoree.dll
Q6 Based on the VS_VERSION_INFO header, what is the original name of malbuster_2?
Answer
7JYpE.exe
Q7 Using the hash of malbuster_3, what is its malware signature based on abuse.ch?
md5sum malbuster_3
Malware-bazaar Query:
md5:47ba62ce119f28a55f90243a4dd8d324
Answer
TrickBot
Q8 Using the hash of malbuster_4, what is its malware signature based on abuse.ch?
md5sum malbuster_4
malware-bazaar Query:
md5:47ba62ce119f28a55f90243a4dd8d324
Answer
Zloader
Q9 What is the message found in the DOS_STUB of malbuster_4?
pe-tree malbuster_4
Answer
!This Salfram cannot be run in DOS mode.
Q10 malbuster_4 imports the function ShellExecuteA. From which DLL file does it import this function?
pe-tree malbuster_4
Answer
shell32.dll
Q11 Using capa, how many anti-VM instructions were identified in malbuster_1?
capa malbuster_1
Answer
3
Q12 Using capa, which binary can log keystrokes?
Answer
malbuster_3
Q13 Using capa, what is the MITRE ID of the DISCOVERY technique used by malbuster_4?
Answer
T1083
Q14 Which binary contains the string GodMode?
we use strings function and grep any strings with the value God (-i ignore case distinctions )
Answer
malbuster_2
Q15 Which binary contains the string **Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)**?
Answer
malbusters_1
Conclusion
Just your average day: parsing dodgy EXEs, decoding malware labels, and realizing everything still starts with GodMode.
$ Whoami
Cybersecurity learner, log nerd, and TryHackMe badge hoarder. Let’s connect on LinkedIn before I get pulled into another packet capture.