We covered analysing malicious macro’s, PDF’s and Memory forensics of a victim of Jigsaw Ransomware; all done using the Linux-based REMnux toolset apart of my Malware Analysis series. This also solves TryHackMe MAL: REMnux – The Redux room.
Computer Forensics Study Notes
What is Live Malware Analysis
Before performing any live analysis, make sure to take a backup of the compromised host and isolate it from the network. While performing the live analysis, always use your own tools as attackers tend to modify existing tools after compromising their target.
In case you are analyzing Windows machine, mount a USB with known good tools.
If you are analyzing Linux machine, again use a USB with clean tools and mount it to /mnt/
and then add the tools the environment variables to invoke them without the need to specify the path. i,e:
export PATH=/mnt/usb/bin:/mnt/usb/sbin
export LD_LIBRARY_PATH=/mnt/usb/lib:/mnt/usb/lib64
PDF analysis & reverse engineering
PDF files are often embedded with malicious code by attackers. Knowing if a pdf file is malicious or not starts by analyzing the embedded code.
peepdf
Display embedded code
root@kali:peepdf demo.pdf
Extracting the embedded code
root@kali:echo 'extract js > demo2.pdf' > extracted_javascript.txt
root@kali:peepdf -s extracted_javascript.txt demo.pdf
root@kali:cat demo2.pdf
Packing and Unpacking
Packer’s use an executable as a source and output’s it to another executable. This executable will have had some modifications made depending on the packer. For example, the new executable could be compressed and/or obfuscated by using mathematics.
Legitimate software developers use packing to reduce the size of their applications and to ultimately protect their work from being stolen. It is, however, a double-edged sword, malware authors reap the benefits of packing to make the reverse engineering and detection of the code hard to impossible.
Packed files have a few characteristics that may indicate whether or not they are packed:
- Remember about file entropy? Packed files will have a high entropy!
- There are very few “Imports”, packed files may only have “GetProcAddress” and “LoadLibrary”.
- The executable may have sections named after certain packers such as UPX.
Room Answers | TryHackMe MAL: REMnux – The Redux
How many types of categories of “Suspicious elements” are there in “notsuspicious.pdf”
3
Use peepdf to extract the javascript from “notsuspicious.pdf”. What is the flag?
THM{Luckily_This_Isn’t_Harmful}
How many types of categories of “Suspicious elements” are there in “advert.pdf”
6
Now use peepdf to extract the javascript from “advert.pdf”. What is the value of “cName”?
notsuspicious
What is the name of the Macro for “DefinitelyALegitInvoice.doc”
DefoLegit
What is tWhat is the URL the Macro in “Taxes2020.doc” would try to launch?
http://tryhackme.com/notac2cserver.sh
What is the highest file entropy a file can have?
8
What is the lowest file entropy a file can have?
0
Name a common packer that can be used for applications?
UPX
Video Walkthrough | TryHackMe MAL: REMnux – The Redux