The room expects us to learn these topics:
- The principles of malware analysis
- An introduction to sandboxes
- Static vs. dynamic analysis
- Tools of the trade: PeStudio, ProcMon, Regshot
Today's Target Machine itself is a full VM with GUI. We dont need an Attackbox today.
Dont go around clicking random stuff in the VIM, the first task comes with a warning: "Please note, it is imperative that you do not execute the HopHelper.exe executable yet. The room will instruct you when to do so."
First things first, some jargons:
- There are two main branches of malware analysis: static and dynamic. Static analysis focuses on inspecting a file without executing it, whereas dynamic analysis involves execution.
- Sandboxes are safe, disposable, isolated environments. For example: each tab in our browsers is (supposed to be) sandboxed! My facebook tab should not be able to access anything in my dev.to tab. Cybersecurity professionals use sandboxes(usually VMs) to run potentially dangerous code. Another real life example would be: If you are a highly targeted or important individual working in a sensitive area, and you get spam emails from attackers a lot, it's a good idea to use your email client in a sandboxed environment! just saying ๐
Information gathered from static analysis
- Checksum: A hash (e.g. a93f7e8c4d21b19f2e12f09a5c33e48a) of a file, corresponds exclusively to that file. Suppose someone gives you a file using a third-party medium(a pendrive that changes hands or via a network that is not monitored by bad people!) and texts you in a secure way( or just displays it in his website) the checksum of that un-altered file. You, upon receiving the file, will calculate the checksum and cross-match. Where does checksum fit in our static analysis? You can calculate the checksum and then search for it in a public repository whether our malware/file is already listed as malware by other security researchers.
- strings: Could be the linux 'strings' command or any other tool to check for readable text in the file.
- imports: What packages does the source code use? IO packages, network modules to connect to its attacker's own server address?
- resources: File Icons etc.
In THM Target box VM, start pestudio, open our malware .exe file located in folder: ...Desktop\HopHelper
Question 1, 2: copy the sha256 string visible in pestudio, before you paste it in THM answerbox paste elsewhere to separate properly..
Next tool to know about is regshot, we take a snapshot of the registry, run our malware, take a 2nd snapshot and compare.
THM Question: What registry value has the HopHelper.exe modified for persistence?
Notice there are many results for 'HopHelper'.
Also notice the answer field start with 3 character and a slash. There's your answer ๐. If you are having issues with slash separator like me here, try pasting section by section...
And finally, filtering through processes with Process Monitor which "captures events of various processes on the system". Click the icon named Procmon64 - Shortcut, run the malicious HopHelper.exe under Desktop\HopHelper, wait a minute and then pause capturing in ProcMon.
After applying two filters in ProcMon, if you dont see anything like me then re-read THM instructions. The two fiters are:
- Process Name **is **HopHelper.exe
- Operation *contains *'TCP'
Question: THM wants know what 'network protocol' is in use. http is the obvious answer...
Bonus question: Can you find the web panel that HopHelper.exe is communicating with?
In above picture we can see connection to a machine named 'breachblocker-sandbox'(aka localhost!) has been established by HopHelper, in port 49982 and 50055.
Does this mean the web panel is breachblocker-sandbox:50055/ or http://breachblocker-sandbox:49882 ? Nope. its at port 80. Open up chrome browser to go to the web panel:
Top comments (1)
Nice! It is going to be interesting AI in the cybersecurity field