{ "labs": [ { "id": "1.1", "section": 1, "title": "Static Properties Analysis of brbbot.exe", "sample": "brbbot.exe", "analysis_type": "static-properties", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract malware sample from archive" }, { "tool_id": "pestr", "platform": "linux", "purpose": "Extract ASCII and Unicode strings" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Examine PE properties, imports, sections, and anomalies" }, { "tool_id": "peframe", "platform": "linux", "purpose": "Examine static properties and detect anomalies" } ], "key_techniques": [ "string-extraction", "pe-header-analysis", "anomaly-detection", "import-analysis" ], "tags": [ "static-analysis", "pe", "strings", "triage" ] }, { "id": "1.2", "section": 1, "title": "Initial Behavioral Analysis of brbbot.exe", "sample": "brbbot.exe", "analysis_type": "behavioral", "tools_used": [ { "tool_id": "system-informer", "platform": "windows", "purpose": "Monitor running processes and network connections" }, { "tool_id": "process-monitor", "platform": "windows", "purpose": "Capture file system, registry, and process activity" }, { "tool_id": "regshot", "platform": "windows", "purpose": "Take registry/filesystem snapshot before infection" }, { "tool_id": "wireshark", "platform": "linux", "purpose": "Capture network traffic from malware" }, { "tool_id": "regshot", "platform": "windows", "purpose": "Compare registry/filesystem snapshot after infection" }, { "tool_id": "procdot", "platform": "windows", "purpose": "Visualize Process Monitor logs for analysis" } ], "key_techniques": [ "process-monitoring", "registry-monitoring", "network-capture", "behavioral-visualization" ], "prerequisite_labs": [ "1.1" ], "tags": [ "behavioral", "monitoring", "registry", "network" ] }, { "id": "1.3", "section": 1, "title": "Intercepting brbbot.exe's Network Traffic", "sample": "brbbot.exe", "analysis_type": "network-interception", "tools_used": [ { "tool_id": "fakedns", "platform": "linux", "purpose": "Spoof DNS to redirect malware traffic to REMnux" }, { "tool_id": "nslookup", "platform": "windows", "purpose": "Verify DNS spoofing is working" }, { "tool_id": "wireshark", "platform": "linux", "purpose": "Capture redirected network traffic" }, { "tool_id": "httpd", "platform": "linux", "purpose": "Simulate C2 web server" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "Edit web server response files" } ], "key_techniques": [ "dns-spoofing", "traffic-interception", "c2-analysis", "http-payload-examination" ], "prerequisite_labs": [ "1.2" ], "tags": [ "network", "dns", "c2", "interception" ] }, { "id": "1.4", "section": 1, "title": "Emulating the Execution of brbbot.exe", "sample": "brbbot.exe", "analysis_type": "emulation", "tools_used": [ { "tool_id": "speakeasy", "platform": "linux", "purpose": "Emulate Windows API calls without native execution" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "Examine emulation output" }, { "tool_id": "jq", "platform": "linux", "purpose": "Extract API names from JSON report" }, { "tool_id": "capa", "platform": "linux", "purpose": "Identify malware capabilities with MITRE ATT&CK mapping" } ], "key_techniques": [ "api-emulation", "capability-detection", "json-analysis" ], "prerequisite_labs": [ "1.1" ], "tags": [ "emulation", "api-analysis", "capa", "speakeasy" ] }, { "id": "1.5", "section": 1, "title": "Decrypting brbbot.exe's Configuration File", "sample": "brbbot.exe", "analysis_type": "debugging", "tools_used": [ { "tool_id": "x64dbg", "platform": "windows", "purpose": "Debug malware, set breakpoints on ReadFile and CryptDecrypt APIs" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Examine imports to identify encryption APIs" }, { "tool_id": "cyberchef", "platform": "linux", "purpose": "Decode XOR-encrypted exfiltrated payload" } ], "key_techniques": [ "api-breakpoints", "configuration-decryption", "xor-decoding", "handle-inspection" ], "prerequisite_labs": [ "1.1", "1.3" ], "tags": [ "debugging", "decryption", "xor", "c2-config" ] }, { "id": "1.6", "section": 1, "title": "Experimenting with C2 Functionality in brbbot.exe", "sample": "brbbot.exe", "analysis_type": "behavioral", "tools_used": [ { "tool_id": "httpd", "platform": "linux", "purpose": "Serve C2 commands via ads.php" }, { "tool_id": "wireshark", "platform": "linux", "purpose": "Observe C2 request/response traffic" }, { "tool_id": "system-informer", "platform": "windows", "purpose": "Monitor process spawning from C2 commands" } ], "key_techniques": [ "c2-command-testing", "beaconing-analysis", "command-execution-monitoring" ], "prerequisite_labs": [ "1.3", "1.5" ], "tags": [ "c2", "behavioral", "command-control" ] }, { "id": "1.7", "section": 1, "title": "Intercepting HTTPS Connections Initiated by ghyte.exe", "sample": "ghyte.exe", "analysis_type": "network-interception", "tools_used": [ { "tool_id": "wireshark", "platform": "linux", "purpose": "Capture initial network traffic" }, { "tool_id": "fakedns", "platform": "linux", "purpose": "Redirect DNS for HTTPS interception" }, { "tool_id": "system-informer", "platform": "windows", "purpose": "Monitor malware process" }, { "tool_id": "inetsim", "platform": "linux", "purpose": "Emulate HTTPS and other internet services" } ], "key_techniques": [ "https-interception", "service-emulation", "tls-analysis" ], "prerequisite_labs": [ "1.1" ], "tags": [ "network", "https", "inetsim", "interception" ] }, { "id": "1.8", "section": 1, "title": "Intercepting IP Address-Based Traffic Using iptables", "sample": "getdown.exe", "analysis_type": "network-interception", "tools_used": [ { "tool_id": "wireshark", "platform": "linux", "purpose": "Capture network traffic" }, { "tool_id": "system-informer", "platform": "windows", "purpose": "Monitor malware process" }, { "tool_id": "httpd", "platform": "linux", "purpose": "Serve responses to redirected traffic" }, { "tool_id": "iptables", "platform": "linux", "purpose": "Redirect IP-based traffic via NAT rules" } ], "key_techniques": [ "iptables-redirection", "ip-based-interception", "nat-rules" ], "prerequisite_labs": [ "1.3" ], "tags": [ "network", "iptables", "traffic-redirection" ] }, { "id": "2.1", "section": 2, "title": "Intro to Assembly and Ghidra", "sample": "svchost.exe", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Disassemble and decompile \u2014 navigate function graphs, symbol trees, imports" } ], "key_techniques": [ "ghidra-navigation", "function-graph", "import-analysis", "cross-references", "equate-constants", "commenting" ], "tags": [ "assembly", "ghidra", "code-analysis", "fundamentals" ] }, { "id": "2.2", "section": 2, "title": "HTTP C2 Analysis", "sample": "svchost.exe", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze HTTP C2 code patterns and API usage" } ], "key_techniques": [ "http-api-identification", "data-type-archives", "parameter-analysis", "function-renaming" ], "prerequisite_labs": [ "2.1" ], "tags": [ "c2", "http", "api-patterns", "ghidra" ] }, { "id": "2.3", "section": 2, "title": "Function Components, Part 1", "sample": "svchost.exe", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze function prologue, epilogue, stack frames, and local variables" } ], "key_techniques": [ "function-prologue", "function-epilogue", "stack-frame", "local-variables" ], "prerequisite_labs": [ "2.1" ], "tags": [ "assembly", "functions", "stack", "ghidra" ] }, { "id": "2.4", "section": 2, "title": "Function Components, Part 2", "sample": "svchost.exe", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze function parameters, calling conventions, and return values" } ], "key_techniques": [ "calling-conventions", "parameter-passing", "return-values" ], "prerequisite_labs": [ "2.3" ], "tags": [ "assembly", "functions", "calling-conventions", "ghidra" ] }, { "id": "2.5", "section": 2, "title": "Loop Components", "sample": "svchost.exe", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Identify loops using string references and control flow analysis" } ], "key_techniques": [ "string-references", "loop-identification", "control-flow" ], "prerequisite_labs": [ "2.1" ], "tags": [ "assembly", "loops", "control-flow", "ghidra" ] }, { "id": "2.6", "section": 2, "title": "Compound Expressions", "sample": "svchost.exe", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze complex conditional logic and nested decisions" } ], "key_techniques": [ "compound-conditions", "nested-logic", "decompiler-interpretation" ], "prerequisite_labs": [ "2.1" ], "tags": [ "assembly", "conditionals", "ghidra" ] }, { "id": "2.7", "section": 2, "title": "Dropper Analysis", "sample": "ishelp.dll", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "pestudio", "platform": "windows", "purpose": "Confirm DLL type and examine exports" }, { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze resource extraction and file dropping code" } ], "key_techniques": [ "dll-analysis", "exported-functions", "resource-extraction", "file-dropping" ], "prerequisite_labs": [ "2.1" ], "tags": [ "dropper", "dll", "resources", "ghidra" ] }, { "id": "2.8", "section": 2, "title": "Intro to 64-bit Code Analysis", "sample": "64-bit specimen", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze 64-bit calling conventions and register usage" } ], "key_techniques": [ "x64-calling-convention", "register-usage", "schtasks-persistence" ], "prerequisite_labs": [ "2.1" ], "tags": [ "64-bit", "assembly", "x64", "ghidra" ] }, { "id": "3.1", "section": 3, "title": "Examining steel1.pdf with pdf-parser.py", "sample": "steel1.pdf", "analysis_type": "pdf-analysis", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample from archive" }, { "tool_id": "pdfid-py", "platform": "linux", "purpose": "Scan for suspicious PDF keywords (/URI, /JavaScript, /OpenAction)" }, { "tool_id": "pdf-parser-py", "platform": "linux", "purpose": "Parse PDF objects, extract URLs, and dump embedded images" }, { "tool_id": "feh", "platform": "linux", "purpose": "View extracted image from PDF object" } ], "key_techniques": [ "pdf-keyword-scanning", "object-extraction", "url-extraction", "embedded-image-analysis" ], "tags": [ "pdf", "phishing", "static-analysis" ] }, { "id": "3.2", "section": 3, "title": "Investigating the 'crophysi' Website with Fiddler", "sample": "crophysi website", "analysis_type": "web-analysis", "tools_used": [ { "tool_id": "fiddler", "platform": "windows", "purpose": "Load and analyze captured HTTP/HTTPS traffic" } ], "key_techniques": [ "redirection-chain-analysis", "http-request-inspection", "payload-extraction" ], "tags": [ "web", "http", "fiddler", "traffic-analysis" ] }, { "id": "3.3", "section": 3, "title": "Analyzing mydoc.docm with oledump.py", "sample": "mydoc.docm", "analysis_type": "document-analysis", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample from archive" }, { "tool_id": "trid", "platform": "linux", "purpose": "Identify file format (OOXML)" }, { "tool_id": "oledump-py", "platform": "linux", "purpose": "List OLE streams and extract VBA macros" }, { "tool_id": "numbers-to-string-py", "platform": "linux", "purpose": "Convert decimal sequences to readable strings" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "View extracted macro code" } ], "key_techniques": [ "file-format-identification", "ole-stream-analysis", "vba-macro-extraction", "string-decoding" ], "tags": [ "office", "vba", "macro", "oledump" ] }, { "id": "3.4", "section": 3, "title": "Analyzing PowerShell and Shellcode Artifacts in checkbox.doc", "sample": "checkbox.doc", "analysis_type": "document-analysis", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample" }, { "tool_id": "file", "platform": "linux", "purpose": "Identify file type" }, { "tool_id": "trid", "platform": "linux", "purpose": "Confirm OLE2 format" }, { "tool_id": "oledump-py", "platform": "linux", "purpose": "Extract OLE streams and identify macro streams" }, { "tool_id": "base64dump-py", "platform": "linux", "purpose": "Decode Base64-encoded PowerShell from UserForm" }, { "tool_id": "gunzip", "platform": "linux", "purpose": "Decompress gzipped payload" }, { "tool_id": "translate-py", "platform": "linux", "purpose": "XOR decode shellcode (byte ^ 35)" }, { "tool_id": "strings", "platform": "linux", "purpose": "Extract strings from decoded shellcode" }, { "tool_id": "scdbgc", "platform": "linux", "purpose": "Emulate shellcode to identify behavior" }, { "tool_id": "yara", "platform": "linux", "purpose": "Scan for known malware patterns" }, { "tool_id": "1768-py", "platform": "linux", "purpose": "Parse Cobalt Strike beacon configuration" } ], "key_techniques": [ "multi-stage-decoding", "base64-gunzip-xor-chain", "shellcode-emulation", "cobalt-strike-identification" ], "prerequisite_labs": [ "3.3" ], "tags": [ "office", "powershell", "shellcode", "cobalt-strike", "multi-stage" ] }, { "id": "3.5", "section": 3, "title": "Examining qa.doc With rtfdump.py, scdbgc, and runsc", "sample": "qa.doc", "analysis_type": "document-analysis", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample" }, { "tool_id": "file", "platform": "linux", "purpose": "Identify RTF format" }, { "tool_id": "rtfdump-py", "platform": "linux", "purpose": "Parse RTF structure, locate hex-encoded embedded objects" }, { "tool_id": "xorsearch", "platform": "linux", "purpose": "Detect shellcode patterns in extracted binary" }, { "tool_id": "scdbgc", "platform": "linux", "purpose": "Emulate extracted shellcode" }, { "tool_id": "runsc32", "platform": "windows", "purpose": "Execute shellcode for dynamic analysis" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Debug shellcode execution" }, { "tool_id": "rar", "platform": "linux", "purpose": "Extract self-extracting RAR payloads" } ], "key_techniques": [ "rtf-structure-analysis", "shellcode-detection", "shellcode-emulation", "self-extracting-archive-analysis" ], "prerequisite_labs": [ "3.4" ], "tags": [ "rtf", "shellcode", "exploitation", "rar" ] }, { "id": "3.6", "section": 3, "title": "Deobfuscating loveyou.js with SpiderMonkey", "sample": "loveyou.js", "analysis_type": "javascript-deobfuscation", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample" }, { "tool_id": "js-beautify", "platform": "linux", "purpose": "Format obfuscated JavaScript for readability" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "Review beautified code" }, { "tool_id": "spidermonkey", "platform": "linux", "purpose": "Execute JavaScript with objects.js to deobfuscate" }, { "tool_id": "cscript", "platform": "windows", "purpose": "Execute JavaScript for AMSI monitoring" }, { "tool_id": "logman", "platform": "windows", "purpose": "Start AMSI event trace session" }, { "tool_id": "amsiscriptcontentretrieval", "platform": "windows", "purpose": "Extract monitored script content from AMSI logs" }, { "tool_id": "notepadpp", "platform": "windows", "purpose": "View extracted AMSI output" } ], "key_techniques": [ "javascript-beautification", "spidermonkey-execution", "objects-js-simulation", "amsi-monitoring" ], "tags": [ "javascript", "deobfuscation", "spidermonkey", "amsi" ] }, { "id": "3.7", "section": 3, "title": "Deobfuscating fgg.js Using SpiderMonkey", "sample": "fgg.js", "analysis_type": "javascript-deobfuscation", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample" }, { "tool_id": "spidermonkey", "platform": "linux", "purpose": "Execute JavaScript (identify missing location.href)" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "Edit objects.js to set location.href" }, { "tool_id": "spidermonkey", "platform": "linux", "purpose": "Re-execute with modified objects.js to deobfuscate" } ], "key_techniques": [ "environment-simulation", "objects-js-customization", "location-href-spoofing" ], "prerequisite_labs": [ "3.6" ], "tags": [ "javascript", "deobfuscation", "spidermonkey" ] }, { "id": "3.8", "section": 3, "title": "Decoding the Initial Script with Fiddler and CyberChef", "sample": "roomsvisitor.saz", "analysis_type": "web-analysis", "tools_used": [ { "tool_id": "fiddler", "platform": "windows", "purpose": "Load captured HTTP traffic and follow redirect chain" }, { "tool_id": "notepadpp", "platform": "windows", "purpose": "View Base64-encoded PowerShell command" }, { "tool_id": "cyberchef", "platform": "both", "purpose": "Decode Base64 and UTF-16LE to reveal PowerShell" } ], "key_techniques": [ "redirect-chain-analysis", "base64-decoding", "utf16-decoding", "powershell-extraction" ], "prerequisite_labs": [ "3.2" ], "tags": [ "web", "base64", "powershell", "cyberchef" ] }, { "id": "3.9", "section": 3, "title": "Decoding wrcaf.ps1 With Fiddler and PowerShell ISE", "sample": "wrcaf.ps1", "analysis_type": "powershell-analysis", "tools_used": [ { "tool_id": "fiddler", "platform": "windows", "purpose": "Extract PowerShell script from HTTP traffic" }, { "tool_id": "notepadpp", "platform": "windows", "purpose": "Initial script viewing" }, { "tool_id": "powershell-ise", "platform": "windows", "purpose": "Debug script with breakpoints to extract decoded payload" } ], "key_techniques": [ "powershell-debugging", "breakpoint-usage", "variable-extraction", "invoke-expression-interception" ], "prerequisite_labs": [ "3.8" ], "tags": [ "powershell", "debugging", "deobfuscation" ] }, { "id": "3.10", "section": 3, "title": "Examining Package.exe and iviewers.dll with PeStudio and x32dbg", "sample": "Package.exe, iviewers.dll", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "fiddler", "platform": "windows", "purpose": "Extract Package.exe from HTTP traffic" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Examine digital signature and PE properties" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Debug DLL loading and CreateProcessW calls" }, { "tool_id": "notepadpp", "platform": "windows", "purpose": "View extracted PowerShell command parameters" } ], "key_techniques": [ "digital-signature-analysis", "dll-sideloading", "createprocess-breakpoints", "multi-stage-payload" ], "prerequisite_labs": [ "3.9" ], "tags": [ "dll", "debugging", "digital-signature", "sideloading" ] }, { "id": "3.11", "section": 3, "title": "Decoding iubn.ps1 With Fiddler and PowerShell ISE", "sample": "iubn.ps1", "analysis_type": "powershell-analysis", "tools_used": [ { "tool_id": "fiddler", "platform": "windows", "purpose": "Extract PowerShell script from HTTP traffic" }, { "tool_id": "notepadpp", "platform": "windows", "purpose": "Initial script examination" }, { "tool_id": "powershell-ise", "platform": "windows", "purpose": "Debug and decode layered PowerShell" } ], "key_techniques": [ "powershell-debugging", "invoke-expression-interception", "out-file-extraction", "dotnet-assembly-download" ], "prerequisite_labs": [ "3.10" ], "tags": [ "powershell", "debugging", "dotnet-loading" ] }, { "id": "3.12", "section": 3, "title": "Analyzing rwvg1.exe and its Artifacts with ILSpy and CyberChef", "sample": "rwvg1.exe, ersyb.exe", "analysis_type": "dotnet-analysis", "tools_used": [ { "tool_id": "fiddler", "platform": "windows", "purpose": "Extract .NET assembly from HTTP traffic" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Confirm .NET assembly" }, { "tool_id": "ilspy", "platform": "windows", "purpose": "Decompile .NET to view C# source code" }, { "tool_id": "cyberchef", "platform": "both", "purpose": "Decode Base64 + XOR payload" }, { "tool_id": "exeinfo-pe", "platform": "windows", "purpose": "Identify second-stage .NET binary" } ], "key_techniques": [ "dotnet-decompilation", "runtime-compilation-analysis", "base64-xor-decoding", "csharpcodeprovider-analysis" ], "prerequisite_labs": [ "3.11" ], "tags": [ "dotnet", "decompilation", "cyberchef", "multi-stage" ] }, { "id": "4.1", "section": 4, "title": "Assessing the Packed brbbot.exe File", "sample": "brbbot.exe (packed)", "analysis_type": "unpacking", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract packed sample" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Examine entropy, sections, and packing indicators" }, { "tool_id": "diec", "platform": "linux", "purpose": "Identify packer (UPX detection)" } ], "key_techniques": [ "entropy-analysis", "section-examination", "packer-identification" ], "tags": [ "packing", "entropy", "detection", "triage" ] }, { "id": "4.2", "section": 4, "title": "Dumping and Fixing brbbot.exe Using Scylla", "sample": "brbbot.exe (packed)", "analysis_type": "unpacking", "tools_used": [ { "tool_id": "upx", "platform": "linux", "purpose": "Attempt automated unpacking (fails \u2014 modified UPX)" }, { "tool_id": "setdllcharacteristics", "platform": "windows", "purpose": "Disable ASLR for consistent memory addresses" }, { "tool_id": "system-informer", "platform": "windows", "purpose": "Verify process is running after infection" }, { "tool_id": "scylla", "platform": "windows", "purpose": "Dump unpacked process from memory and fix IAT" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Verify dumped file is valid PE" } ], "key_techniques": [ "aslr-disabling", "process-dumping", "iat-reconstruction", "scylla-workflow" ], "prerequisite_labs": [ "4.1" ], "tags": [ "unpacking", "scylla", "iat", "memory-dump" ] }, { "id": "4.3", "section": 4, "title": "Unpacking brbbot.exe by Using x64dbg and OllyDumpEx", "sample": "brbbot.exe (packed)", "analysis_type": "unpacking", "tools_used": [ { "tool_id": "x64dbg", "platform": "windows", "purpose": "Debug to locate unpacker JMP to OEP" }, { "tool_id": "ollydumpex", "platform": "windows", "purpose": "Dump unpacked process from within debugger" }, { "tool_id": "scylla", "platform": "windows", "purpose": "Fix IAT in dumped executable (as x64dbg plugin)" } ], "key_techniques": [ "oep-detection", "unpacker-breakpoints", "memory-dumping", "iat-fixing" ], "prerequisite_labs": [ "4.1" ], "tags": [ "unpacking", "debugger", "oep", "ollydumpex" ] }, { "id": "4.4", "section": 4, "title": "Debugging the Packed Version of brbbot.exe", "sample": "brbbot.exe (packed)", "analysis_type": "debugging", "tools_used": [ { "tool_id": "x64dbg", "platform": "windows", "purpose": "Set hardware breakpoints on CryptDecrypt to analyze packed runtime behavior" } ], "key_techniques": [ "hardware-breakpoints", "api-interception", "packed-runtime-analysis" ], "prerequisite_labs": [ "4.1" ], "tags": [ "debugging", "packed-malware", "hardware-breakpoints" ] }, { "id": "4.5", "section": 4, "title": "Analyzing Multi-Technology Specimen PDFXCview.exe", "sample": "PDFXCview.exe", "analysis_type": "code-analysis", "tools_used": [ { "tool_id": "system-informer", "platform": "windows", "purpose": "Monitor process creation and child processes" }, { "tool_id": "process-monitor", "platform": "windows", "purpose": "Capture file system and registry activity" }, { "tool_id": "procdot", "platform": "windows", "purpose": "Visualize multi-stage execution" }, { "tool_id": "regedit", "platform": "windows", "purpose": "Examine registry keys created by malware" }, { "tool_id": "reg-export", "platform": "windows", "purpose": "Extract JavaScript stored in registry to file" }, { "tool_id": "winscp", "platform": "windows", "purpose": "Transfer artifacts to REMnux for analysis" }, { "tool_id": "spidermonkey", "platform": "linux", "purpose": "Deobfuscate JavaScript component" }, { "tool_id": "js-beautify", "platform": "linux", "purpose": "Format decoded JavaScript for readability" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "View and analyze decoded scripts" }, { "tool_id": "base64dump-py", "platform": "linux", "purpose": "Decode Base64-encoded payloads" }, { "tool_id": "notepadpp", "platform": "windows", "purpose": "View decoded scripts" }, { "tool_id": "powershell-ise", "platform": "windows", "purpose": "Debug PowerShell component" } ], "key_techniques": [ "multi-technology-analysis", "registry-based-malware", "fileless-techniques", "cross-platform-workflow" ], "tags": [ "multi-stage", "javascript", "powershell", "behavioral" ] }, { "id": "4.6", "section": 4, "title": "Examining Capabilities of Shellcode Used by PDFXCview.exe", "sample": "Shellcode from PDFXCview.exe", "analysis_type": "shellcode-analysis", "tools_used": [ { "tool_id": "scdbgc", "platform": "both", "purpose": "Emulate shellcode to identify API calls" }, { "tool_id": "runsc32", "platform": "windows", "purpose": "Execute shellcode for dynamic analysis" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Debug shellcode execution and examine parameters" } ], "key_techniques": [ "shellcode-emulation", "shellcode-debugging", "api-parameter-analysis" ], "prerequisite_labs": [ "4.5" ], "tags": [ "shellcode", "emulation", "debugging" ] }, { "id": "4.7", "section": 4, "title": "Unpacking Shellcode That Was Used by PDFXCview.exe", "sample": "Shellcode from PDFXCview.exe", "analysis_type": "shellcode-analysis", "tools_used": [ { "tool_id": "x32dbg", "platform": "windows", "purpose": "Set breakpoints on VirtualAlloc to track memory allocation" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Verify dumped PE from allocated memory" } ], "key_techniques": [ "virtualalloc-breakpoints", "multi-stage-shellcode", "memory-dumping" ], "prerequisite_labs": [ "4.6" ], "tags": [ "shellcode", "unpacking", "virtualalloc" ] }, { "id": "4.8", "section": 4, "title": "Examining .NET Malware chatroom.exe", "sample": "chatroom.exe", "analysis_type": "dotnet-analysis", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample" }, { "tool_id": "peframe", "platform": "linux", "purpose": "Identify as .NET with high entropy (packed)" }, { "tool_id": "pestr", "platform": "linux", "purpose": "Extract strings" }, { "tool_id": "ilspycmd", "platform": "linux", "purpose": "Decompile .NET assembly on command line" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "Search decompiled code for Assembly.Load" }, { "tool_id": "dnspyex", "platform": "windows", "purpose": "Debug .NET with breakpoints to extract in-memory assembly" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Examine dumped assembly" }, { "tool_id": "ilspy", "platform": "windows", "purpose": "Decompile dumped assembly" }, { "tool_id": "de4dot", "platform": "windows", "purpose": "Deobfuscate .NET assembly" } ], "key_techniques": [ "dotnet-decompilation", "reflective-loading-detection", "assembly-load-breakpoints", "in-memory-dumping", "dotnet-deobfuscation" ], "tags": [ "dotnet", "debugging", "deobfuscation", "reflective-loading" ] }, { "id": "4.9", "section": 4, "title": "Examining Code Injection Capabilities of great.exe", "sample": "great.exe", "analysis_type": "code-injection", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze CreateRemoteThread, VirtualAllocEx, and process enumeration code" } ], "key_techniques": [ "createremotethread-analysis", "virtualallocex-identification", "process-enumeration", "createtoolhelp32snapshot" ], "prerequisite_labs": [ "2.1" ], "tags": [ "code-injection", "api-analysis", "ghidra" ] }, { "id": "5.1", "section": 5, "title": "Patching getdown.exe to Bypass Debugger Detection", "sample": "getdown.exe", "analysis_type": "anti-analysis", "tools_used": [ { "tool_id": "wireshark", "platform": "linux", "purpose": "Monitor network traffic" }, { "tool_id": "system-informer", "platform": "windows", "purpose": "Monitor process behavior" }, { "tool_id": "x64dbg", "platform": "windows", "purpose": "Identify and patch IsDebuggerPresent check" } ], "key_techniques": [ "isdebuggerpresent-bypass", "instruction-patching", "conditional-jump-modification" ], "tags": [ "anti-debugging", "patching", "isdebuggerpresent" ] }, { "id": "5.2", "section": 5, "title": "Deobfuscating Strings Encoded Using Simple and Common Algorithms", "sample": "getdown.exe, hubert.dll, 9.exe", "analysis_type": "string-deobfuscation", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract samples" }, { "tool_id": "xorsearch", "platform": "linux", "purpose": "Search for XOR-encoded patterns" }, { "tool_id": "strings", "platform": "linux", "purpose": "Extract readable strings" }, { "tool_id": "brxor-py", "platform": "linux", "purpose": "Brute-force XOR key detection" }, { "tool_id": "bbcrack", "platform": "linux", "purpose": "Detect XOR/ROL/ADD obfuscation algorithms" }, { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze deobfuscation routines in code" }, { "tool_id": "strdeob-pl", "platform": "linux", "purpose": "Decode stack-built strings" }, { "tool_id": "floss", "platform": "linux", "purpose": "Automatically extract all obfuscated strings" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "View deobfuscation results" } ], "key_techniques": [ "xor-brute-forcing", "stack-string-decoding", "automated-string-extraction", "obfuscation-algorithm-identification" ], "prerequisite_labs": [ "2.1" ], "tags": [ "strings", "xor", "deobfuscation", "floss" ] }, { "id": "5.3", "section": 5, "title": "Unpacking drtg.exe", "sample": "drtg.exe", "analysis_type": "unpacking", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample" }, { "tool_id": "floss", "platform": "linux", "purpose": "Extract strings to assess packing" }, { "tool_id": "visual-studio-code", "platform": "linux", "purpose": "View FLOSS output" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Debug with RtlDecompressBuffer breakpoints" }, { "tool_id": "scyllahide", "platform": "windows", "purpose": "Hide debugger from anti-debugging checks" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Verify unpacked dump" } ], "key_techniques": [ "rtldecompressbuffer-interception", "debugger-hiding", "exception-configuration", "memory-dumping" ], "prerequisite_labs": [ "5.2" ], "tags": [ "unpacking", "anti-debugging", "decompression" ] }, { "id": "5.4", "section": 5, "title": "Unpacking WinHost32.exe", "sample": "WinHost32.exe", "analysis_type": "unpacking", "tools_used": [ { "tool_id": "unzip", "platform": "linux", "purpose": "Extract sample" }, { "tool_id": "capa", "platform": "linux", "purpose": "Identify process hollowing capability" }, { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze CreateProcess(SUSPENDED), VirtualAllocEx, WriteProcessMemory" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Set breakpoint on WriteProcessMemory to catch injected PE" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Verify dumped PE from process hollowing" } ], "key_techniques": [ "process-hollowing-detection", "create-suspended-analysis", "writeprocessmemory-breakpoints", "ntunmapviewofsection" ], "prerequisite_labs": [ "5.3" ], "tags": [ "process-hollowing", "code-injection", "unpacking" ] }, { "id": "5.5", "section": 5, "title": "Examining the Anti-Sandbox Defensive Capability of vbprop.exe", "sample": "vbprop.exe", "analysis_type": "anti-analysis", "tools_used": [ { "tool_id": "ghidra", "platform": "windows", "purpose": "Analyze SetWindowsHookExA for mouse event interception" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Debug hook installation and handler" } ], "key_techniques": [ "setwindowshookex-analysis", "mouse-hook-detection", "sandbox-evasion" ], "prerequisite_labs": [ "2.1" ], "tags": [ "anti-sandbox", "hooks", "evasion" ] }, { "id": "5.6", "section": 5, "title": "Examining the Toolkit Detection Capabilities of raas.exe", "sample": "raas.exe", "analysis_type": "anti-analysis", "tools_used": [ { "tool_id": "x32dbg", "platform": "windows", "purpose": "Step through toolkit detection routines" }, { "tool_id": "scyllahide", "platform": "windows", "purpose": "Hide debugger from detection checks" } ], "key_techniques": [ "getmodulehandle-checks", "findwindow-checks", "process-enumeration", "registry-vm-detection", "blockinput-bypass" ], "prerequisite_labs": [ "2.1" ], "tags": [ "anti-analysis", "toolkit-detection", "vm-detection" ] }, { "id": "5.7", "section": 5, "title": "Understanding the SEH Defense in want.exe", "sample": "want.exe", "analysis_type": "anti-analysis", "tools_used": [ { "tool_id": "x32dbg", "platform": "windows", "purpose": "Analyze SEH chain setup and exception handler execution" } ], "key_techniques": [ "seh-manipulation", "exception-handler-analysis", "fs-segment-usage", "seh-breakpoints" ], "prerequisite_labs": [ "2.1" ], "tags": [ "seh", "anti-analysis", "exception-handling" ] }, { "id": "5.8", "section": 5, "title": "Unpacking want.exe Using a Stack Breakpoint", "sample": "want.exe", "analysis_type": "unpacking", "tools_used": [ { "tool_id": "x32dbg", "platform": "windows", "purpose": "Set stack breakpoint to detect unpacking completion" }, { "tool_id": "ollydumpex", "platform": "windows", "purpose": "Dump unpacked process from memory" }, { "tool_id": "scylla", "platform": "windows", "purpose": "Reconstruct IAT in dumped executable" }, { "tool_id": "pestudio", "platform": "windows", "purpose": "Verify unpacked PE" } ], "key_techniques": [ "stack-breakpoints", "oep-detection-via-stack", "memory-dumping", "iat-reconstruction" ], "prerequisite_labs": [ "5.7" ], "tags": [ "unpacking", "stack-breakpoint", "seh" ] }, { "id": "5.9", "section": 5, "title": "Bypassing Self-Defensive Measures in lansrv.exe", "sample": "lansrv.exe", "analysis_type": "anti-analysis", "tools_used": [ { "tool_id": "pestudio", "platform": "windows", "purpose": "Identify TLS callback in thread-local-storage section" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Debug TLS callback, patch IsDebuggerPresent, fix GS segment override" } ], "key_techniques": [ "tls-callback-analysis", "isdebuggerpresent-bypass", "segment-register-patching", "xor-decoding-loop", "multi-defense-bypass" ], "prerequisite_labs": [ "2.1" ], "tags": [ "tls-callback", "anti-debugging", "patching", "multi-defense" ] }, { "id": "5.10", "section": 5, "title": "Unpacking yep.exe with the Help of x32dbg and pe_unmapper", "sample": "yep.exe", "analysis_type": "unpacking", "tools_used": [ { "tool_id": "pestudio", "platform": "windows", "purpose": "Initial analysis \u2014 note gibberish strings indicating packing" }, { "tool_id": "x32dbg", "platform": "windows", "purpose": "Set breakpoints on LoadLibraryA and VirtualProtect" }, { "tool_id": "xanalyzer", "platform": "windows", "purpose": "Enhanced analysis showing API parameters" }, { "tool_id": "pe-unmapper", "platform": "windows", "purpose": "Convert virtual-aligned dump to raw alignment" }, { "tool_id": "scylla", "platform": "windows", "purpose": "Fix IAT in unmapped executable" } ], "key_techniques": [ "loadlibrary-breakpoints", "virtualprotect-breakpoints", "memory-region-dumping", "virtual-to-raw-alignment", "oep-anticipation" ], "prerequisite_labs": [ "5.8" ], "tags": [ "unpacking", "pe-unmapper", "virtualprotect", "loadlibrary" ] } ] }