We covered analysing malicious macro’s, PDF’s and Memory forensics of a victim of Jigsaw Ransomware; all done using the Linux-based REMnux toolset apart of my Malware Analysis series. This also solves TryHackMe MAL: REMnux – The Redux room.

OSCP Study Notes

Computer Forensics Study Notes

What is Live Malware Analysis

Before performing any live analysis, make sure to take a backup of the compromised host and isolate it from the network. While performing the live analysis, always use your own tools as attackers tend to modify existing tools after compromising their target.
In case you are analyzing Windows machine, mount a USB with known good tools.
If you are analyzing Linux machine, again use a USB with clean tools and mount it to /mnt/ and then add the tools the environment variables to invoke them without the need to specify the path. i,e:

export PATH=/mnt/usb/bin:/mnt/usb/sbin 

export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64

PDF analysis & reverse engineering

PDF files are often embedded with malicious code by attackers. Knowing if a pdf file is malicious or not starts by analyzing the embedded code.
peepdf
Display embedded code

root@kali:peepdf demo.pdf

Extracting the embedded code

root@kali:echo 'extract js > demo2.pdf' > extracted_javascript.txt

root@kali:peepdf -s extracted_javascript.txt demo.pdf

root@kali:cat demo2.pdf

Packing and Unpacking

Packer’s use an executable as a source and output’s it to another executable. This executable will have had some modifications made depending on the packer. For example, the new executable could be compressed and/or obfuscated by using mathematics.

Legitimate software developers use packing to reduce the size of their applications and to ultimately protect their work from being stolen. It is, however, a double-edged sword, malware authors reap the benefits of packing to make the reverse engineering and detection of the code hard to impossible.

Packed files have a few characteristics that may indicate whether or not they are packed:

  • Remember about file entropy? Packed files will have a high entropy!
  • There are very few “Imports”, packed files may only have “GetProcAddress” and “LoadLibrary”.
  • The executable may have sections named after certain packers such as UPX.

Room Answers | TryHackMe MAL: REMnux – The Redux

How many types of categories of “Suspicious elements” are there in “notsuspicious.pdf”
3

Use peepdf to extract the javascript from “notsuspicious.pdf”. What is the flag?

THM{Luckily_This_Isn’t_Harmful}

How many types of categories of “Suspicious elements” are there in “advert.pdf”

6

Now use peepdf to extract the javascript from “advert.pdf”. What is the value of “cName”?

notsuspicious

What is the name of the Macro for “DefinitelyALegitInvoice.doc”

DefoLegit

What is tWhat is the URL the Macro in “Taxes2020.doc” would try to launch?

http://tryhackme.com/notac2cserver.sh

What is the highest file entropy a file can have?

8

What is the lowest file entropy a file can have?

0

Name a common packer that can be used for applications?

UPX

Video Walkthrough | TryHackMe MAL: REMnux – The Redux

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles