Malware Analysis

History of Malware

task1 Introduction

Read the above.

task2 The Creeper Program

1.Read the above.

2.Who re-designed the Creeper Virus?

Ray Tomlinson

3.How is data transferred through a network?

Packet Switching

4.Who created the first concept of a virus?

John von Neumann

5.What text did the Creeper program print to the screen?

I’m the creeper, catch me if you can!

6.What does ARPANET stand for?

The Advanced Research Projects Agency Network

7.Which team created the network control program?

Network Working Group

8.What is the first virus commonly known as?

Creeper

task3 Reaper

1.Read the above.

2.Who created Reaper?

Ray Tomlinson

3.What type of malware may Reaper be known as?

nematode

4.What was the first ever anti-virus program known as?

Reaper

5.What was Bob Thomas’ main project to develop?

resource-sharing capability

6.Research: What does API stand for?

Application Programming Interface

task4 Wabbit

1.Read the information.

2.What is a modern day fork bomb also known as?

denial of service attack

3.Was Rabbit one of the first malicious programs? (Y/N)

Y

4.What did the name “Wabbit” derive from?

looney tunes cartoons

task5 ANIMAL

1.Read the above.

2.When was PERVADE added to ANIMAL?

1975

3.Did John think this was a good idea? (Y/N)

Y

4.What computers did the program spread across?

UNIVACs

5.What type of malware is ANIMAL also known as?

Trojan

6.Who built the wooden horse?

the Greeks

task6 Elk Cloner

1.Read the above.

2.Which US Military regiment caught the virus?

US Navy

3.How many lines long is the Elk Cloner poem?

7

4.When was Elk Cloner written?

1982

5.Is a boot sector virus more or less common in modern technology?

less

6.How long did it take Richard to write the program?

2 weeks

7.Which Operating System was affected?

Apple II

task7 The Morris Internet Worm

1.Read the above.

2.What commands were a very big way that allowed Morris to access the computers?

Berkeley r-commands

3.Who was one the first person prosecuted for the computer misuse act?

Robert Tappan Morris

4.What type of attack is a “Fork Bomb”?

denial of service

5.When was this worm released?

1988

6.How many computers did it infect within 15 hours?

2000

7.What does rsh mean?

remote shell

8.Under which act was Morris arrested for?

1988 Computer Fraud and Abuse act

task8 Cascade

1.Read the above.

2.What was the name of this virus?

Cascade

3.What file extensions would this virus infect?

.COM

4.How many variants of there virus were possibly found?

40

5.What operating system would the virus run on?

DOS

6.Which Operating System/Frame Work would Cascade try to avoid?

IBM

7.How many bytes would be added onto your file if it got infected?

1704

task9 Thanks for reading!

Thanks!

MAL:Malware Introductory

Task1 What is the Purpose of Malware Analysis?

Ah, now I kinda understand…

恶意软件关注点

• Point of Entry入口点
• 运行条件
• 执行过程
• 预防与检测

Task2 Understanding Malware Campaigns

1.What is the famous example of a targeted attack-esque Malware that targeted Iran?

Stuxnet

Stuxnet(震网)病毒 蠕虫病毒,定向攻击基础设施

2.What is the name of the Ransomware that used the Eternalblue exploit in a “Mass Campaign” attack?

Wannacry

Wannacry(永恒之蓝)病毒 利用漏洞MS17-010

Task3 Identifying if a Malware Attack has Happened

恶意软件传播过程

1.Delivery 攻击

2.Execution 感染

3.Maintaining persistence

4.Persistence 持久化

5.Propagation 传播

1.Name the first essential step of a Malware Attack?

Delivery

2.Now name the second essential step of a Malware Attack?

Execution

3.What type of signature is used to classify remnants of infection on a host?

Host-Based Signature

4.What is the name of the other classification of signature used after a Malware attack?

Network-Based Signature

攻击指纹

-Host-Based Signature

-Network-Based Signature

Task4 Static Vs. Dynamic Analysis

I understand the two broad categories employed when analysing potential malware!

Task5 Discussion of Provided Tools & Their Uses

Lets proceed

• Dependency Walker (depends)
• PeID
• PE Explorer
• PEview
• ResourceHacke
• IDA Freeware
• WinDbg

Task6 Connecting to the Windows Analysis Environment (Deploy)

Username: Analysis

Password: Tryhackme123!

I’ve logged in!

Task7 Obtaining MD5 Checksums of Provided Files

windows计算文件MD5值

CMD下 certutil -hashfile 文件名 MD5/SHA1/SHA256

1.The MD5 Checksum of aws.exe

d2778164ef643ba8f44cc202ec7ef157

2.The MD5 Checksum of Netlogo.exe

59cb421172a89e1e16c11a428326952c

3.The MD5 Checksum of vlc.exe

5416be1b8b04b1681cb39cf0e2caad9f

Task8 Now lets see if the MD5 Checksums have been analysed before

1.Does Virustotal report this MD5 Checksum / file aws.exe as malicious? (Yay/Nay)

Nay

2.Does Virustotal report this MD5 Checksum / file Netlogo.exe as malicious? (Yay/Nay)

Nay

3.Does Virustotal report this MD5 Checksum / file vlc.exe as malicious? (Yay/Nay)

Nay

VirusTotal

Task9 Identifying if the Executables are obfuscated / packed

1.What does PeID propose 1DE9176AD682FF.dll being packed with?

Microsoft Visual C++ 6.0

2.What does PeID propose AD29AA1B.bin being packed with?

Microsoft Visual C++ 6.0

Task10 What is Obfuscation / Packing?

What packer does PeID report file “6F431F46547DB2628” to be packed with?

FSG 1.0 dulek/xt

Task11 Visualising the Differences Between Packed & Non-Packed Code

Cursed obfuscation!

Task12 Introduction to Strings

1.What is the URL that is outputted after using “strings”

practicalmalwareanalysis.com

strings “Tasks\Task12\67844c01”

2.How many unique “Imports” are there?

5

Task13 Introduction to Imports

How many references are there to the library “msi” in the “Imports” tab of IDA Freeware for “install.exe”

打开IDA，选择Task13/install.exe,选择pe64.dll格式打开；点击view-open subviews-Imports,即可看到9个参考msi文件

9

Task14 Practical Summary

1.What is the MD5 Checksum of the file?

f5bd8e6dc6782ed4dfa62b8215bdc429

2.Does Virustotal report this file as malicious? (Yay/Nay)

yay

3.Output the strings using Sysinternals “strings” tool.

What is the last string outputted?

d:h:

4.What is the output of PeID when trying to detect what packer is used by the file?

Nothing Found

Basic Malware RE

Password for the ZIP is MalwareTech

Task1 Introduction

Read the above

Task2 Strings :: Challenge 1

What is the flag of which that MD5 gets generated?

FLAG{CAN-I-MAKE-IT-ANYMORE-OBVIOUS}

Task3 Strings :: Challenge 2

What is the flag of which that MD5 gets generated?

FLAG{STACK-STRINGS-ARE-BEST-STRINGS}

Task4 Strings 3 :: Challenge 3

What is the flag of which that MD5 gets generated?

FLAG{RESOURCES-ARE-POPULAR-FOR-MALWARE}

IDA打开strings3.exe_，主要关注导入LoadStringA函数，有4个参数，uID参数指定导入字符串地址

1. The instance handle (hInstance) is NULL.
2. The identifier (uID) is set to the stack variable uID.
3. The read buffer (lpBuffer) is set to the stack variable Buffer.
4. The buffer size (cchBufferMax) is set to 1023 (0x3FF).

程序通过一系列计算得到值，赋予uID

mov eax, 1         ; eax = 1
shl eax, 8         ; eax = 1 << 8 = 256
xor edx, edx       ; edx = 0
inc edx            ; edx = 0 + 1 = 1
shl edx, 4         ; edx = 1 << 4 = 16
or eax, edx        ; eax = 256 or 16 = 272
mov [ebp+uID], eax ; uID = 272

使用Resource Hacker打开Strings3.exe_，找到编号为272的字符串即为flag

Tryhackme-Malware Analysis相关推荐

1. malware analysis、Sandbox Principles、Design Implementation

   catalog 0. 引言 1. sandbox introduction 2. Sandboxie 3. seccomp(short for secure computing mode): API级 ...

2. “Survey of machine learning techniques for malware analysis ”

   此论文对已经发表的文献中的关于机器学习对恶意软件的监测的不同研究方向.不同的研究目标.不同的方法.得出的不同结果进行了一定的分类总结. 根据文献,对其中三种基本层面进行了分类: 1.分析的特定目标 2 ...

3. Free Download Top 100 Hacking Books

   2019独角兽企业重金招聘Python工程师标准>>> Kali Linux – Assuring Security by Penetration Testing Network A ...

4. Part 1 – Reverse engineering using Androguard

   Welcome to the very first article of this series on "Reverse Engineering android applications&q ...

5. [论文阅读] (17)CCS2019 针对PowerShell脚本的轻量级去混淆和语义感知攻击检测（经典）

   <娜璋带你读论文>系列主要是督促自己阅读优秀论文及听取学术讲座,并分享给大家,希望您喜欢.由于作者的英文水平和学术能力不高,需要不断提升,所以还请大家批评指正,非常欢迎大家给我留言评论,学 ...

6. [系统安全] 三十一.恶意代码检测(1)恶意代码攻击溯源及恶意样本分析

   您可能之前看到过我写的类似文章,为什么还要重复撰写呢?只是想更好地帮助初学者了解病毒逆向分析和系统安全,更加成体系且不破坏之前的系列.因此,我重新开设了这个专栏,准备系统整理和深入学习系统安全.逆向分 ...

7. 【今日CV 计算机视觉论文速览 第110期】Thu, 2 May 2019

   今日CS.CV 计算机视觉论文速览 Thu, 2 May 2019 Totally 22 papers ?上期速览✈更多精彩请移步主页 Interesting: ?3DFaceGAN, 基于对抗网络的 ...

8. 2015年关注的技术书籍

   http://www.springer.com/computer/security+and+cryptology?SGWID=8-40160-66-653429-0&sba=INCLUDE&a ...

9. Python：***测试开源项目

   sql注入工具:sqlmap DNS安全监测:DNSRecon 暴力破解测试工具:patator XSS漏洞利用工具:XSSer Web服务器压力测试工具:HULK SSL安全扫描器:SSLyze 网 ...

最新文章

1. windows10下使用virtualenv虚拟技术，管理多个python版本，多个项目包环境
2. IDEA开启关闭拼写检查
3. 设计模式09： Decorator 装饰模式（结构型模式）
4. mybatis源码学习
5. 402. 移掉K位数字 golang
6. 更换分布式文件系统副本组成员的硬件或操作系统——第一步：计划
7. mysql 排序字段索引吗_Mysql 排序优化与索引使用（转)
8. android自定义选年控件,Android精美日历控件CalendarView自定义使用完全解析
9. 组态王opc_组态王和西门子S7300、S7400系列PLC通讯的几种配置方案
10. C#通用类库--数字转为人民币汉字大写表示
11. 《JDBC与Java数据库编程》pdf 附下载链接
12. android+vmware+wifi,笔记本使用wifi通过vmware workstation+openwrt 实现上网
13. Python安装word2vec环境依赖
14. 2023年浙大MEM英语二作文干货模版：临阵磨枪可用
15. 运动如何影响肠道微生物群，运动期间改善肠道问题的饮食建议
16. 设置表格列宽 —— 在富文本编辑器中的实现
17. Python宣传自己很快的orjson真的比ujson快吗（orjson与ujson速度比较）
18. 利用window.location实现下载文档
19. Android自定义View,Android炫酷的音乐频谱进度条,变化自如的音乐进度条
20. 未来五年 LED智慧透明屏未来3大发展趋势

热门文章

1. 联盟链fabric区块链易于落地推广场景
2. MNN支持NPU啦！！！
3. 2.2 点亮第一个发光二极管
4. 一个关于10%-3的小问题
5. 最老程序员创业札记：全文检索、数据挖掘、推荐引擎应用45
6. Nginx server_name 参数配置
7. vs2012离线语言安装包(英文) + 安装方法
8. 北京北工大计算机以下学校排名,计算机专业考研院校排名分析
9. 三角形内切圆与外接圆
10. 马云“北伐”意欲何为