Malware Mondays!
Sharpen your skills with real-world challenges!
-
Dive into hands-on exercises released Monday's featuring a specific malware artifact or data capture.
-
Learn new tools and tactics by tackling these practical challenges
-
Level up your learning with a live stream review every Friday, breaking down the challenges and solutions.
​
​
Please note, the password for all zip archives is: thecyberyeti
MM09 - File ID & Hashing
Posted: 04 Dec 2024​​
​Identifying files by file type is often the first step in performing triage analysis. Hashing can also provide a way to not only uniquely identify files, but also other portions of a file such as by section or imports. In this Malware Mondays, we'll explore common file identification utilities such as file and magika, along with cryptographic hashing algorithms. We'll also explore the use of YARA for generating and creating detections based on hashes.​​
What you'll learn:​
-
Quick and effective ways for identifying file type
-
Techniques to use hashing to identify samples
​​
Analysis objectives:
-
Identify each file in the sample corpus
-
Create a Yara rule to use section hashing to identify samples
MM07 - Sandbox Analysis
Posted: 05 Aug 2024
Sandboxes play a vital role in malware analysis and this week we'll take a look at some of the most popular out there! AnyRun and Triage are two of my go-tos, but did you know VirusTotal also includes behavioral output? We'll also discuss how to leverage VirusTotal during your investigation.​​
​
Sample SHA 256:
24ca467f398c64c1f70011ffc53598f2f09971998e08e2267f39f06776afbb15
What you'll learn:​
-
What an online sandbox is and some cautions and caveats with using them
-
How to quickly and effectively process sandbox output​​
​​
Analysis objectives:
-
What do the sandboxes classify the sample's malware family?​
-
What is the primary process name of the malware?
-
How does the malware gain persistence?
MM05 - Capabilities with CAPA
Posted: 05 July 2024
This week we'll focus on identifying capabilities in executable files with the CAPA tool from the FLARE team! For this week's samples we'll use a variety of executables from my Github repo and the Amadey malware from MM01.​​
​
What you'll learn:​
-
What CAPA is and how to get started
-
Analyzing CAPA output to gain insight into executable file capabilities
-
The basics of CAPA rules
​
​
Analysis objectives:
-
Extract capabilities from custom samples from previous episodes, what does CAPA uncover?
-
Does the Amadey malware (from MM01) contain observable capabilities?
​
MM03 - Network Simulation
Posted: 4 June 2024
This week's exercise will focus on network simulation with Fakenet-NG and packet analysis with Wireshark.
​
​
What you'll learn:​
-
Basic usage of Fakenet-NG and Wireshark
-
How to associate network and process activity
-
How to identify malicious activity in network traffic
Analysis objectives:
-
What are the malicious IPs or domain names
-
Is there any potential command and control traffic
-
What network protocols were used?
-
Was there an attempt to download additional payloads?
​
MM01 - Analyzing ProcMon Data
Posted: 25 March 2024
This week's exercise will focus on analyzing data from Process Monitor (procmon) from Amadey malware. Your goals are to identify key host-based indicators.​
​
​
What you'll learn:​
-
Basic ProcMon usage
-
How to filter ProcMon events to focus on suspicious activity
-
Identify common persistence mechanisms
-
Identify modular activity (ie plugins)
Analysis objectives:
-
Identify malicious process(es) by name or PID
-
Does the malware attempt to gain persistence
-
Is this malware modular (i.e. does it download additional payloads)
​
MM08 - PE File Basics
Posted: 19 Aug 2024
To perform effective triage analysis, it is important to understand what your tools are telling you. Since a large amount of malware is delivered in the PE file format, it's even more important to understand common tools used to explore these files, along with important characteristics of the underlying file format.​​
​
Sample SHA 256:
24ca467f398c64c1f70011ffc53598f2f09971998e08e2267f39f06776afbb15
What you'll learn:​
-
Popular tools to quickly triage and assess PE files​​
-
Important characteristics to help navigate next steps in your analysis
​​
Analysis objectives:
-
Identify PE file format anomalies that indicate malicious intent
-
What are uncommon section names?
-
What is the entropy of each section?
-
What structure contains the AddressOfEntry?
MM06 - Analysis with Suricata
Posted: 22 July 2024
This week we'll focus on analyzing network traffic with Suricata, which will include file identification, alert triaging, and flow analysis. We'll be using the same PCAP from MM03, as well as a few others from online sandboxes (which will be shared during the live stream).​​
What you'll learn:​
-
How to use Suricata in offline mode to augment your malware analysis
-
Suricata's primary outputs, which goes far beyond just alert generation
-
Identifying unique traffic patterns to help discover potentially malicious activity
​
​
Analysis objectives:
-
What alerts are generated and what is they significance?
-
What are the most significant flows?​
MM04 - Strings and FLOSS
Posted: 15 June 2024
This week we'll focus on basic string analysis and the FLOSS tool from the FLARE team.
​
​
What you'll learn:​
-
Difference between ASCII and unicode strings
-
Extracting strings using FLOSS and other string utilities
-
Identify signs of packing or other obfuscation
Analysis objectives:
-
From the custom sample (Github), what is the name of the mutex?
-
Does the custom sample contain unicode (or wide) character strings?
-
Does the Amadey malware (from MM01) contain signs of packing or obfuscation?
​
MM02 - Process Investigation
Posted: 19 April 2024
This week's exercise will focus on analyzing process activity using Process Explorer from SysInternals and System Informer, the successor to ProcessHacker2.
​
​
What you'll learn:​
-
Basic usage of Process Explorer and System Informer
-
How to determine what resources a process has open
-
How to identify process activity
Analysis objectives:
-
Identify malicious process(es) by name or PID
-
Determine open resources such as DLLs and mutexes
-
Identify file system location the process was loaded from
​