tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1972 lines
50 KiB
JSON
1972 lines
50 KiB
JSON
{
|
|
"labs": [
|
|
{
|
|
"id": "1.1",
|
|
"section": 1,
|
|
"title": "Static Properties Analysis of brbbot.exe",
|
|
"sample": "brbbot.exe",
|
|
"analysis_type": "static-properties",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract malware sample from archive"
|
|
},
|
|
{
|
|
"tool_id": "pestr",
|
|
"platform": "linux",
|
|
"purpose": "Extract ASCII and Unicode strings"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Examine PE properties, imports, sections, and anomalies"
|
|
},
|
|
{
|
|
"tool_id": "peframe",
|
|
"platform": "linux",
|
|
"purpose": "Examine static properties and detect anomalies"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"string-extraction",
|
|
"pe-header-analysis",
|
|
"anomaly-detection",
|
|
"import-analysis"
|
|
],
|
|
"tags": [
|
|
"static-analysis",
|
|
"pe",
|
|
"strings",
|
|
"triage"
|
|
]
|
|
},
|
|
{
|
|
"id": "1.2",
|
|
"section": 1,
|
|
"title": "Initial Behavioral Analysis of brbbot.exe",
|
|
"sample": "brbbot.exe",
|
|
"analysis_type": "behavioral",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "system-informer",
|
|
"platform": "windows",
|
|
"purpose": "Monitor running processes and network connections"
|
|
},
|
|
{
|
|
"tool_id": "process-monitor",
|
|
"platform": "windows",
|
|
"purpose": "Capture file system, registry, and process activity"
|
|
},
|
|
{
|
|
"tool_id": "regshot",
|
|
"platform": "windows",
|
|
"purpose": "Take registry/filesystem snapshot before infection"
|
|
},
|
|
{
|
|
"tool_id": "wireshark",
|
|
"platform": "linux",
|
|
"purpose": "Capture network traffic from malware"
|
|
},
|
|
{
|
|
"tool_id": "regshot",
|
|
"platform": "windows",
|
|
"purpose": "Compare registry/filesystem snapshot after infection"
|
|
},
|
|
{
|
|
"tool_id": "procdot",
|
|
"platform": "windows",
|
|
"purpose": "Visualize Process Monitor logs for analysis"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"process-monitoring",
|
|
"registry-monitoring",
|
|
"network-capture",
|
|
"behavioral-visualization"
|
|
],
|
|
"prerequisite_labs": [
|
|
"1.1"
|
|
],
|
|
"tags": [
|
|
"behavioral",
|
|
"monitoring",
|
|
"registry",
|
|
"network"
|
|
]
|
|
},
|
|
{
|
|
"id": "1.3",
|
|
"section": 1,
|
|
"title": "Intercepting brbbot.exe's Network Traffic",
|
|
"sample": "brbbot.exe",
|
|
"analysis_type": "network-interception",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "fakedns",
|
|
"platform": "linux",
|
|
"purpose": "Spoof DNS to redirect malware traffic to REMnux"
|
|
},
|
|
{
|
|
"tool_id": "nslookup",
|
|
"platform": "windows",
|
|
"purpose": "Verify DNS spoofing is working"
|
|
},
|
|
{
|
|
"tool_id": "wireshark",
|
|
"platform": "linux",
|
|
"purpose": "Capture redirected network traffic"
|
|
},
|
|
{
|
|
"tool_id": "httpd",
|
|
"platform": "linux",
|
|
"purpose": "Simulate C2 web server"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "Edit web server response files"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"dns-spoofing",
|
|
"traffic-interception",
|
|
"c2-analysis",
|
|
"http-payload-examination"
|
|
],
|
|
"prerequisite_labs": [
|
|
"1.2"
|
|
],
|
|
"tags": [
|
|
"network",
|
|
"dns",
|
|
"c2",
|
|
"interception"
|
|
]
|
|
},
|
|
{
|
|
"id": "1.4",
|
|
"section": 1,
|
|
"title": "Emulating the Execution of brbbot.exe",
|
|
"sample": "brbbot.exe",
|
|
"analysis_type": "emulation",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "speakeasy",
|
|
"platform": "linux",
|
|
"purpose": "Emulate Windows API calls without native execution"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "Examine emulation output"
|
|
},
|
|
{
|
|
"tool_id": "jq",
|
|
"platform": "linux",
|
|
"purpose": "Extract API names from JSON report"
|
|
},
|
|
{
|
|
"tool_id": "capa",
|
|
"platform": "linux",
|
|
"purpose": "Identify malware capabilities with MITRE ATT&CK mapping"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"api-emulation",
|
|
"capability-detection",
|
|
"json-analysis"
|
|
],
|
|
"prerequisite_labs": [
|
|
"1.1"
|
|
],
|
|
"tags": [
|
|
"emulation",
|
|
"api-analysis",
|
|
"capa",
|
|
"speakeasy"
|
|
]
|
|
},
|
|
{
|
|
"id": "1.5",
|
|
"section": 1,
|
|
"title": "Decrypting brbbot.exe's Configuration File",
|
|
"sample": "brbbot.exe",
|
|
"analysis_type": "debugging",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "x64dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug malware, set breakpoints on ReadFile and CryptDecrypt APIs"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Examine imports to identify encryption APIs"
|
|
},
|
|
{
|
|
"tool_id": "cyberchef",
|
|
"platform": "linux",
|
|
"purpose": "Decode XOR-encrypted exfiltrated payload"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"api-breakpoints",
|
|
"configuration-decryption",
|
|
"xor-decoding",
|
|
"handle-inspection"
|
|
],
|
|
"prerequisite_labs": [
|
|
"1.1",
|
|
"1.3"
|
|
],
|
|
"tags": [
|
|
"debugging",
|
|
"decryption",
|
|
"xor",
|
|
"c2-config"
|
|
]
|
|
},
|
|
{
|
|
"id": "1.6",
|
|
"section": 1,
|
|
"title": "Experimenting with C2 Functionality in brbbot.exe",
|
|
"sample": "brbbot.exe",
|
|
"analysis_type": "behavioral",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "httpd",
|
|
"platform": "linux",
|
|
"purpose": "Serve C2 commands via ads.php"
|
|
},
|
|
{
|
|
"tool_id": "wireshark",
|
|
"platform": "linux",
|
|
"purpose": "Observe C2 request/response traffic"
|
|
},
|
|
{
|
|
"tool_id": "system-informer",
|
|
"platform": "windows",
|
|
"purpose": "Monitor process spawning from C2 commands"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"c2-command-testing",
|
|
"beaconing-analysis",
|
|
"command-execution-monitoring"
|
|
],
|
|
"prerequisite_labs": [
|
|
"1.3",
|
|
"1.5"
|
|
],
|
|
"tags": [
|
|
"c2",
|
|
"behavioral",
|
|
"command-control"
|
|
]
|
|
},
|
|
{
|
|
"id": "1.7",
|
|
"section": 1,
|
|
"title": "Intercepting HTTPS Connections Initiated by ghyte.exe",
|
|
"sample": "ghyte.exe",
|
|
"analysis_type": "network-interception",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "wireshark",
|
|
"platform": "linux",
|
|
"purpose": "Capture initial network traffic"
|
|
},
|
|
{
|
|
"tool_id": "fakedns",
|
|
"platform": "linux",
|
|
"purpose": "Redirect DNS for HTTPS interception"
|
|
},
|
|
{
|
|
"tool_id": "system-informer",
|
|
"platform": "windows",
|
|
"purpose": "Monitor malware process"
|
|
},
|
|
{
|
|
"tool_id": "inetsim",
|
|
"platform": "linux",
|
|
"purpose": "Emulate HTTPS and other internet services"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"https-interception",
|
|
"service-emulation",
|
|
"tls-analysis"
|
|
],
|
|
"prerequisite_labs": [
|
|
"1.1"
|
|
],
|
|
"tags": [
|
|
"network",
|
|
"https",
|
|
"inetsim",
|
|
"interception"
|
|
]
|
|
},
|
|
{
|
|
"id": "1.8",
|
|
"section": 1,
|
|
"title": "Intercepting IP Address-Based Traffic Using iptables",
|
|
"sample": "getdown.exe",
|
|
"analysis_type": "network-interception",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "wireshark",
|
|
"platform": "linux",
|
|
"purpose": "Capture network traffic"
|
|
},
|
|
{
|
|
"tool_id": "system-informer",
|
|
"platform": "windows",
|
|
"purpose": "Monitor malware process"
|
|
},
|
|
{
|
|
"tool_id": "httpd",
|
|
"platform": "linux",
|
|
"purpose": "Serve responses to redirected traffic"
|
|
},
|
|
{
|
|
"tool_id": "iptables",
|
|
"platform": "linux",
|
|
"purpose": "Redirect IP-based traffic via NAT rules"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"iptables-redirection",
|
|
"ip-based-interception",
|
|
"nat-rules"
|
|
],
|
|
"prerequisite_labs": [
|
|
"1.3"
|
|
],
|
|
"tags": [
|
|
"network",
|
|
"iptables",
|
|
"traffic-redirection"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.1",
|
|
"section": 2,
|
|
"title": "Intro to Assembly and Ghidra",
|
|
"sample": "svchost.exe",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Disassemble and decompile \u2014 navigate function graphs, symbol trees, imports"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"ghidra-navigation",
|
|
"function-graph",
|
|
"import-analysis",
|
|
"cross-references",
|
|
"equate-constants",
|
|
"commenting"
|
|
],
|
|
"tags": [
|
|
"assembly",
|
|
"ghidra",
|
|
"code-analysis",
|
|
"fundamentals"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.2",
|
|
"section": 2,
|
|
"title": "HTTP C2 Analysis",
|
|
"sample": "svchost.exe",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze HTTP C2 code patterns and API usage"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"http-api-identification",
|
|
"data-type-archives",
|
|
"parameter-analysis",
|
|
"function-renaming"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"c2",
|
|
"http",
|
|
"api-patterns",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.3",
|
|
"section": 2,
|
|
"title": "Function Components, Part 1",
|
|
"sample": "svchost.exe",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze function prologue, epilogue, stack frames, and local variables"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"function-prologue",
|
|
"function-epilogue",
|
|
"stack-frame",
|
|
"local-variables"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"assembly",
|
|
"functions",
|
|
"stack",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.4",
|
|
"section": 2,
|
|
"title": "Function Components, Part 2",
|
|
"sample": "svchost.exe",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze function parameters, calling conventions, and return values"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"calling-conventions",
|
|
"parameter-passing",
|
|
"return-values"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.3"
|
|
],
|
|
"tags": [
|
|
"assembly",
|
|
"functions",
|
|
"calling-conventions",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.5",
|
|
"section": 2,
|
|
"title": "Loop Components",
|
|
"sample": "svchost.exe",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Identify loops using string references and control flow analysis"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"string-references",
|
|
"loop-identification",
|
|
"control-flow"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"assembly",
|
|
"loops",
|
|
"control-flow",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.6",
|
|
"section": 2,
|
|
"title": "Compound Expressions",
|
|
"sample": "svchost.exe",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze complex conditional logic and nested decisions"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"compound-conditions",
|
|
"nested-logic",
|
|
"decompiler-interpretation"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"assembly",
|
|
"conditionals",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.7",
|
|
"section": 2,
|
|
"title": "Dropper Analysis",
|
|
"sample": "ishelp.dll",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Confirm DLL type and examine exports"
|
|
},
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze resource extraction and file dropping code"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"dll-analysis",
|
|
"exported-functions",
|
|
"resource-extraction",
|
|
"file-dropping"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"dropper",
|
|
"dll",
|
|
"resources",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "2.8",
|
|
"section": 2,
|
|
"title": "Intro to 64-bit Code Analysis",
|
|
"sample": "64-bit specimen",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze 64-bit calling conventions and register usage"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"x64-calling-convention",
|
|
"register-usage",
|
|
"schtasks-persistence"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"64-bit",
|
|
"assembly",
|
|
"x64",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.1",
|
|
"section": 3,
|
|
"title": "Examining steel1.pdf with pdf-parser.py",
|
|
"sample": "steel1.pdf",
|
|
"analysis_type": "pdf-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample from archive"
|
|
},
|
|
{
|
|
"tool_id": "pdfid-py",
|
|
"platform": "linux",
|
|
"purpose": "Scan for suspicious PDF keywords (/URI, /JavaScript, /OpenAction)"
|
|
},
|
|
{
|
|
"tool_id": "pdf-parser-py",
|
|
"platform": "linux",
|
|
"purpose": "Parse PDF objects, extract URLs, and dump embedded images"
|
|
},
|
|
{
|
|
"tool_id": "feh",
|
|
"platform": "linux",
|
|
"purpose": "View extracted image from PDF object"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"pdf-keyword-scanning",
|
|
"object-extraction",
|
|
"url-extraction",
|
|
"embedded-image-analysis"
|
|
],
|
|
"tags": [
|
|
"pdf",
|
|
"phishing",
|
|
"static-analysis"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.2",
|
|
"section": 3,
|
|
"title": "Investigating the 'crophysi' Website with Fiddler",
|
|
"sample": "crophysi website",
|
|
"analysis_type": "web-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "fiddler",
|
|
"platform": "windows",
|
|
"purpose": "Load and analyze captured HTTP/HTTPS traffic"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"redirection-chain-analysis",
|
|
"http-request-inspection",
|
|
"payload-extraction"
|
|
],
|
|
"tags": [
|
|
"web",
|
|
"http",
|
|
"fiddler",
|
|
"traffic-analysis"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.3",
|
|
"section": 3,
|
|
"title": "Analyzing mydoc.docm with oledump.py",
|
|
"sample": "mydoc.docm",
|
|
"analysis_type": "document-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample from archive"
|
|
},
|
|
{
|
|
"tool_id": "trid",
|
|
"platform": "linux",
|
|
"purpose": "Identify file format (OOXML)"
|
|
},
|
|
{
|
|
"tool_id": "oledump-py",
|
|
"platform": "linux",
|
|
"purpose": "List OLE streams and extract VBA macros"
|
|
},
|
|
{
|
|
"tool_id": "numbers-to-string-py",
|
|
"platform": "linux",
|
|
"purpose": "Convert decimal sequences to readable strings"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "View extracted macro code"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"file-format-identification",
|
|
"ole-stream-analysis",
|
|
"vba-macro-extraction",
|
|
"string-decoding"
|
|
],
|
|
"tags": [
|
|
"office",
|
|
"vba",
|
|
"macro",
|
|
"oledump"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.4",
|
|
"section": 3,
|
|
"title": "Analyzing PowerShell and Shellcode Artifacts in checkbox.doc",
|
|
"sample": "checkbox.doc",
|
|
"analysis_type": "document-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample"
|
|
},
|
|
{
|
|
"tool_id": "file",
|
|
"platform": "linux",
|
|
"purpose": "Identify file type"
|
|
},
|
|
{
|
|
"tool_id": "trid",
|
|
"platform": "linux",
|
|
"purpose": "Confirm OLE2 format"
|
|
},
|
|
{
|
|
"tool_id": "oledump-py",
|
|
"platform": "linux",
|
|
"purpose": "Extract OLE streams and identify macro streams"
|
|
},
|
|
{
|
|
"tool_id": "base64dump-py",
|
|
"platform": "linux",
|
|
"purpose": "Decode Base64-encoded PowerShell from UserForm"
|
|
},
|
|
{
|
|
"tool_id": "gunzip",
|
|
"platform": "linux",
|
|
"purpose": "Decompress gzipped payload"
|
|
},
|
|
{
|
|
"tool_id": "translate-py",
|
|
"platform": "linux",
|
|
"purpose": "XOR decode shellcode (byte ^ 35)"
|
|
},
|
|
{
|
|
"tool_id": "strings",
|
|
"platform": "linux",
|
|
"purpose": "Extract strings from decoded shellcode"
|
|
},
|
|
{
|
|
"tool_id": "scdbgc",
|
|
"platform": "linux",
|
|
"purpose": "Emulate shellcode to identify behavior"
|
|
},
|
|
{
|
|
"tool_id": "yara",
|
|
"platform": "linux",
|
|
"purpose": "Scan for known malware patterns"
|
|
},
|
|
{
|
|
"tool_id": "1768-py",
|
|
"platform": "linux",
|
|
"purpose": "Parse Cobalt Strike beacon configuration"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"multi-stage-decoding",
|
|
"base64-gunzip-xor-chain",
|
|
"shellcode-emulation",
|
|
"cobalt-strike-identification"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.3"
|
|
],
|
|
"tags": [
|
|
"office",
|
|
"powershell",
|
|
"shellcode",
|
|
"cobalt-strike",
|
|
"multi-stage"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.5",
|
|
"section": 3,
|
|
"title": "Examining qa.doc With rtfdump.py, scdbgc, and runsc",
|
|
"sample": "qa.doc",
|
|
"analysis_type": "document-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample"
|
|
},
|
|
{
|
|
"tool_id": "file",
|
|
"platform": "linux",
|
|
"purpose": "Identify RTF format"
|
|
},
|
|
{
|
|
"tool_id": "rtfdump-py",
|
|
"platform": "linux",
|
|
"purpose": "Parse RTF structure, locate hex-encoded embedded objects"
|
|
},
|
|
{
|
|
"tool_id": "xorsearch",
|
|
"platform": "linux",
|
|
"purpose": "Detect shellcode patterns in extracted binary"
|
|
},
|
|
{
|
|
"tool_id": "scdbgc",
|
|
"platform": "linux",
|
|
"purpose": "Emulate extracted shellcode"
|
|
},
|
|
{
|
|
"tool_id": "runsc32",
|
|
"platform": "windows",
|
|
"purpose": "Execute shellcode for dynamic analysis"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug shellcode execution"
|
|
},
|
|
{
|
|
"tool_id": "rar",
|
|
"platform": "linux",
|
|
"purpose": "Extract self-extracting RAR payloads"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"rtf-structure-analysis",
|
|
"shellcode-detection",
|
|
"shellcode-emulation",
|
|
"self-extracting-archive-analysis"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.4"
|
|
],
|
|
"tags": [
|
|
"rtf",
|
|
"shellcode",
|
|
"exploitation",
|
|
"rar"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.6",
|
|
"section": 3,
|
|
"title": "Deobfuscating loveyou.js with SpiderMonkey",
|
|
"sample": "loveyou.js",
|
|
"analysis_type": "javascript-deobfuscation",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample"
|
|
},
|
|
{
|
|
"tool_id": "js-beautify",
|
|
"platform": "linux",
|
|
"purpose": "Format obfuscated JavaScript for readability"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "Review beautified code"
|
|
},
|
|
{
|
|
"tool_id": "spidermonkey",
|
|
"platform": "linux",
|
|
"purpose": "Execute JavaScript with objects.js to deobfuscate"
|
|
},
|
|
{
|
|
"tool_id": "cscript",
|
|
"platform": "windows",
|
|
"purpose": "Execute JavaScript for AMSI monitoring"
|
|
},
|
|
{
|
|
"tool_id": "logman",
|
|
"platform": "windows",
|
|
"purpose": "Start AMSI event trace session"
|
|
},
|
|
{
|
|
"tool_id": "amsiscriptcontentretrieval",
|
|
"platform": "windows",
|
|
"purpose": "Extract monitored script content from AMSI logs"
|
|
},
|
|
{
|
|
"tool_id": "notepadpp",
|
|
"platform": "windows",
|
|
"purpose": "View extracted AMSI output"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"javascript-beautification",
|
|
"spidermonkey-execution",
|
|
"objects-js-simulation",
|
|
"amsi-monitoring"
|
|
],
|
|
"tags": [
|
|
"javascript",
|
|
"deobfuscation",
|
|
"spidermonkey",
|
|
"amsi"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.7",
|
|
"section": 3,
|
|
"title": "Deobfuscating fgg.js Using SpiderMonkey",
|
|
"sample": "fgg.js",
|
|
"analysis_type": "javascript-deobfuscation",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample"
|
|
},
|
|
{
|
|
"tool_id": "spidermonkey",
|
|
"platform": "linux",
|
|
"purpose": "Execute JavaScript (identify missing location.href)"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "Edit objects.js to set location.href"
|
|
},
|
|
{
|
|
"tool_id": "spidermonkey",
|
|
"platform": "linux",
|
|
"purpose": "Re-execute with modified objects.js to deobfuscate"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"environment-simulation",
|
|
"objects-js-customization",
|
|
"location-href-spoofing"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.6"
|
|
],
|
|
"tags": [
|
|
"javascript",
|
|
"deobfuscation",
|
|
"spidermonkey"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.8",
|
|
"section": 3,
|
|
"title": "Decoding the Initial Script with Fiddler and CyberChef",
|
|
"sample": "roomsvisitor.saz",
|
|
"analysis_type": "web-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "fiddler",
|
|
"platform": "windows",
|
|
"purpose": "Load captured HTTP traffic and follow redirect chain"
|
|
},
|
|
{
|
|
"tool_id": "notepadpp",
|
|
"platform": "windows",
|
|
"purpose": "View Base64-encoded PowerShell command"
|
|
},
|
|
{
|
|
"tool_id": "cyberchef",
|
|
"platform": "both",
|
|
"purpose": "Decode Base64 and UTF-16LE to reveal PowerShell"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"redirect-chain-analysis",
|
|
"base64-decoding",
|
|
"utf16-decoding",
|
|
"powershell-extraction"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.2"
|
|
],
|
|
"tags": [
|
|
"web",
|
|
"base64",
|
|
"powershell",
|
|
"cyberchef"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.9",
|
|
"section": 3,
|
|
"title": "Decoding wrcaf.ps1 With Fiddler and PowerShell ISE",
|
|
"sample": "wrcaf.ps1",
|
|
"analysis_type": "powershell-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "fiddler",
|
|
"platform": "windows",
|
|
"purpose": "Extract PowerShell script from HTTP traffic"
|
|
},
|
|
{
|
|
"tool_id": "notepadpp",
|
|
"platform": "windows",
|
|
"purpose": "Initial script viewing"
|
|
},
|
|
{
|
|
"tool_id": "powershell-ise",
|
|
"platform": "windows",
|
|
"purpose": "Debug script with breakpoints to extract decoded payload"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"powershell-debugging",
|
|
"breakpoint-usage",
|
|
"variable-extraction",
|
|
"invoke-expression-interception"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.8"
|
|
],
|
|
"tags": [
|
|
"powershell",
|
|
"debugging",
|
|
"deobfuscation"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.10",
|
|
"section": 3,
|
|
"title": "Examining Package.exe and iviewers.dll with PeStudio and x32dbg",
|
|
"sample": "Package.exe, iviewers.dll",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "fiddler",
|
|
"platform": "windows",
|
|
"purpose": "Extract Package.exe from HTTP traffic"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Examine digital signature and PE properties"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug DLL loading and CreateProcessW calls"
|
|
},
|
|
{
|
|
"tool_id": "notepadpp",
|
|
"platform": "windows",
|
|
"purpose": "View extracted PowerShell command parameters"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"digital-signature-analysis",
|
|
"dll-sideloading",
|
|
"createprocess-breakpoints",
|
|
"multi-stage-payload"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.9"
|
|
],
|
|
"tags": [
|
|
"dll",
|
|
"debugging",
|
|
"digital-signature",
|
|
"sideloading"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.11",
|
|
"section": 3,
|
|
"title": "Decoding iubn.ps1 With Fiddler and PowerShell ISE",
|
|
"sample": "iubn.ps1",
|
|
"analysis_type": "powershell-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "fiddler",
|
|
"platform": "windows",
|
|
"purpose": "Extract PowerShell script from HTTP traffic"
|
|
},
|
|
{
|
|
"tool_id": "notepadpp",
|
|
"platform": "windows",
|
|
"purpose": "Initial script examination"
|
|
},
|
|
{
|
|
"tool_id": "powershell-ise",
|
|
"platform": "windows",
|
|
"purpose": "Debug and decode layered PowerShell"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"powershell-debugging",
|
|
"invoke-expression-interception",
|
|
"out-file-extraction",
|
|
"dotnet-assembly-download"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.10"
|
|
],
|
|
"tags": [
|
|
"powershell",
|
|
"debugging",
|
|
"dotnet-loading"
|
|
]
|
|
},
|
|
{
|
|
"id": "3.12",
|
|
"section": 3,
|
|
"title": "Analyzing rwvg1.exe and its Artifacts with ILSpy and CyberChef",
|
|
"sample": "rwvg1.exe, ersyb.exe",
|
|
"analysis_type": "dotnet-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "fiddler",
|
|
"platform": "windows",
|
|
"purpose": "Extract .NET assembly from HTTP traffic"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Confirm .NET assembly"
|
|
},
|
|
{
|
|
"tool_id": "ilspy",
|
|
"platform": "windows",
|
|
"purpose": "Decompile .NET to view C# source code"
|
|
},
|
|
{
|
|
"tool_id": "cyberchef",
|
|
"platform": "both",
|
|
"purpose": "Decode Base64 + XOR payload"
|
|
},
|
|
{
|
|
"tool_id": "exeinfo-pe",
|
|
"platform": "windows",
|
|
"purpose": "Identify second-stage .NET binary"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"dotnet-decompilation",
|
|
"runtime-compilation-analysis",
|
|
"base64-xor-decoding",
|
|
"csharpcodeprovider-analysis"
|
|
],
|
|
"prerequisite_labs": [
|
|
"3.11"
|
|
],
|
|
"tags": [
|
|
"dotnet",
|
|
"decompilation",
|
|
"cyberchef",
|
|
"multi-stage"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.1",
|
|
"section": 4,
|
|
"title": "Assessing the Packed brbbot.exe File",
|
|
"sample": "brbbot.exe (packed)",
|
|
"analysis_type": "unpacking",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract packed sample"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Examine entropy, sections, and packing indicators"
|
|
},
|
|
{
|
|
"tool_id": "diec",
|
|
"platform": "linux",
|
|
"purpose": "Identify packer (UPX detection)"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"entropy-analysis",
|
|
"section-examination",
|
|
"packer-identification"
|
|
],
|
|
"tags": [
|
|
"packing",
|
|
"entropy",
|
|
"detection",
|
|
"triage"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.2",
|
|
"section": 4,
|
|
"title": "Dumping and Fixing brbbot.exe Using Scylla",
|
|
"sample": "brbbot.exe (packed)",
|
|
"analysis_type": "unpacking",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "upx",
|
|
"platform": "linux",
|
|
"purpose": "Attempt automated unpacking (fails \u2014 modified UPX)"
|
|
},
|
|
{
|
|
"tool_id": "setdllcharacteristics",
|
|
"platform": "windows",
|
|
"purpose": "Disable ASLR for consistent memory addresses"
|
|
},
|
|
{
|
|
"tool_id": "system-informer",
|
|
"platform": "windows",
|
|
"purpose": "Verify process is running after infection"
|
|
},
|
|
{
|
|
"tool_id": "scylla",
|
|
"platform": "windows",
|
|
"purpose": "Dump unpacked process from memory and fix IAT"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Verify dumped file is valid PE"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"aslr-disabling",
|
|
"process-dumping",
|
|
"iat-reconstruction",
|
|
"scylla-workflow"
|
|
],
|
|
"prerequisite_labs": [
|
|
"4.1"
|
|
],
|
|
"tags": [
|
|
"unpacking",
|
|
"scylla",
|
|
"iat",
|
|
"memory-dump"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.3",
|
|
"section": 4,
|
|
"title": "Unpacking brbbot.exe by Using x64dbg and OllyDumpEx",
|
|
"sample": "brbbot.exe (packed)",
|
|
"analysis_type": "unpacking",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "x64dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug to locate unpacker JMP to OEP"
|
|
},
|
|
{
|
|
"tool_id": "ollydumpex",
|
|
"platform": "windows",
|
|
"purpose": "Dump unpacked process from within debugger"
|
|
},
|
|
{
|
|
"tool_id": "scylla",
|
|
"platform": "windows",
|
|
"purpose": "Fix IAT in dumped executable (as x64dbg plugin)"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"oep-detection",
|
|
"unpacker-breakpoints",
|
|
"memory-dumping",
|
|
"iat-fixing"
|
|
],
|
|
"prerequisite_labs": [
|
|
"4.1"
|
|
],
|
|
"tags": [
|
|
"unpacking",
|
|
"debugger",
|
|
"oep",
|
|
"ollydumpex"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.4",
|
|
"section": 4,
|
|
"title": "Debugging the Packed Version of brbbot.exe",
|
|
"sample": "brbbot.exe (packed)",
|
|
"analysis_type": "debugging",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "x64dbg",
|
|
"platform": "windows",
|
|
"purpose": "Set hardware breakpoints on CryptDecrypt to analyze packed runtime behavior"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"hardware-breakpoints",
|
|
"api-interception",
|
|
"packed-runtime-analysis"
|
|
],
|
|
"prerequisite_labs": [
|
|
"4.1"
|
|
],
|
|
"tags": [
|
|
"debugging",
|
|
"packed-malware",
|
|
"hardware-breakpoints"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.5",
|
|
"section": 4,
|
|
"title": "Analyzing Multi-Technology Specimen PDFXCview.exe",
|
|
"sample": "PDFXCview.exe",
|
|
"analysis_type": "code-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "system-informer",
|
|
"platform": "windows",
|
|
"purpose": "Monitor process creation and child processes"
|
|
},
|
|
{
|
|
"tool_id": "process-monitor",
|
|
"platform": "windows",
|
|
"purpose": "Capture file system and registry activity"
|
|
},
|
|
{
|
|
"tool_id": "procdot",
|
|
"platform": "windows",
|
|
"purpose": "Visualize multi-stage execution"
|
|
},
|
|
{
|
|
"tool_id": "regedit",
|
|
"platform": "windows",
|
|
"purpose": "Examine registry keys created by malware"
|
|
},
|
|
{
|
|
"tool_id": "reg-export",
|
|
"platform": "windows",
|
|
"purpose": "Extract JavaScript stored in registry to file"
|
|
},
|
|
{
|
|
"tool_id": "winscp",
|
|
"platform": "windows",
|
|
"purpose": "Transfer artifacts to REMnux for analysis"
|
|
},
|
|
{
|
|
"tool_id": "spidermonkey",
|
|
"platform": "linux",
|
|
"purpose": "Deobfuscate JavaScript component"
|
|
},
|
|
{
|
|
"tool_id": "js-beautify",
|
|
"platform": "linux",
|
|
"purpose": "Format decoded JavaScript for readability"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "View and analyze decoded scripts"
|
|
},
|
|
{
|
|
"tool_id": "base64dump-py",
|
|
"platform": "linux",
|
|
"purpose": "Decode Base64-encoded payloads"
|
|
},
|
|
{
|
|
"tool_id": "notepadpp",
|
|
"platform": "windows",
|
|
"purpose": "View decoded scripts"
|
|
},
|
|
{
|
|
"tool_id": "powershell-ise",
|
|
"platform": "windows",
|
|
"purpose": "Debug PowerShell component"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"multi-technology-analysis",
|
|
"registry-based-malware",
|
|
"fileless-techniques",
|
|
"cross-platform-workflow"
|
|
],
|
|
"tags": [
|
|
"multi-stage",
|
|
"javascript",
|
|
"powershell",
|
|
"behavioral"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.6",
|
|
"section": 4,
|
|
"title": "Examining Capabilities of Shellcode Used by PDFXCview.exe",
|
|
"sample": "Shellcode from PDFXCview.exe",
|
|
"analysis_type": "shellcode-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "scdbgc",
|
|
"platform": "both",
|
|
"purpose": "Emulate shellcode to identify API calls"
|
|
},
|
|
{
|
|
"tool_id": "runsc32",
|
|
"platform": "windows",
|
|
"purpose": "Execute shellcode for dynamic analysis"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug shellcode execution and examine parameters"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"shellcode-emulation",
|
|
"shellcode-debugging",
|
|
"api-parameter-analysis"
|
|
],
|
|
"prerequisite_labs": [
|
|
"4.5"
|
|
],
|
|
"tags": [
|
|
"shellcode",
|
|
"emulation",
|
|
"debugging"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.7",
|
|
"section": 4,
|
|
"title": "Unpacking Shellcode That Was Used by PDFXCview.exe",
|
|
"sample": "Shellcode from PDFXCview.exe",
|
|
"analysis_type": "shellcode-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Set breakpoints on VirtualAlloc to track memory allocation"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Verify dumped PE from allocated memory"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"virtualalloc-breakpoints",
|
|
"multi-stage-shellcode",
|
|
"memory-dumping"
|
|
],
|
|
"prerequisite_labs": [
|
|
"4.6"
|
|
],
|
|
"tags": [
|
|
"shellcode",
|
|
"unpacking",
|
|
"virtualalloc"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.8",
|
|
"section": 4,
|
|
"title": "Examining .NET Malware chatroom.exe",
|
|
"sample": "chatroom.exe",
|
|
"analysis_type": "dotnet-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample"
|
|
},
|
|
{
|
|
"tool_id": "peframe",
|
|
"platform": "linux",
|
|
"purpose": "Identify as .NET with high entropy (packed)"
|
|
},
|
|
{
|
|
"tool_id": "pestr",
|
|
"platform": "linux",
|
|
"purpose": "Extract strings"
|
|
},
|
|
{
|
|
"tool_id": "ilspycmd",
|
|
"platform": "linux",
|
|
"purpose": "Decompile .NET assembly on command line"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "Search decompiled code for Assembly.Load"
|
|
},
|
|
{
|
|
"tool_id": "dnspyex",
|
|
"platform": "windows",
|
|
"purpose": "Debug .NET with breakpoints to extract in-memory assembly"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Examine dumped assembly"
|
|
},
|
|
{
|
|
"tool_id": "ilspy",
|
|
"platform": "windows",
|
|
"purpose": "Decompile dumped assembly"
|
|
},
|
|
{
|
|
"tool_id": "de4dot",
|
|
"platform": "windows",
|
|
"purpose": "Deobfuscate .NET assembly"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"dotnet-decompilation",
|
|
"reflective-loading-detection",
|
|
"assembly-load-breakpoints",
|
|
"in-memory-dumping",
|
|
"dotnet-deobfuscation"
|
|
],
|
|
"tags": [
|
|
"dotnet",
|
|
"debugging",
|
|
"deobfuscation",
|
|
"reflective-loading"
|
|
]
|
|
},
|
|
{
|
|
"id": "4.9",
|
|
"section": 4,
|
|
"title": "Examining Code Injection Capabilities of great.exe",
|
|
"sample": "great.exe",
|
|
"analysis_type": "code-injection",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze CreateRemoteThread, VirtualAllocEx, and process enumeration code"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"createremotethread-analysis",
|
|
"virtualallocex-identification",
|
|
"process-enumeration",
|
|
"createtoolhelp32snapshot"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"code-injection",
|
|
"api-analysis",
|
|
"ghidra"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.1",
|
|
"section": 5,
|
|
"title": "Patching getdown.exe to Bypass Debugger Detection",
|
|
"sample": "getdown.exe",
|
|
"analysis_type": "anti-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "wireshark",
|
|
"platform": "linux",
|
|
"purpose": "Monitor network traffic"
|
|
},
|
|
{
|
|
"tool_id": "system-informer",
|
|
"platform": "windows",
|
|
"purpose": "Monitor process behavior"
|
|
},
|
|
{
|
|
"tool_id": "x64dbg",
|
|
"platform": "windows",
|
|
"purpose": "Identify and patch IsDebuggerPresent check"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"isdebuggerpresent-bypass",
|
|
"instruction-patching",
|
|
"conditional-jump-modification"
|
|
],
|
|
"tags": [
|
|
"anti-debugging",
|
|
"patching",
|
|
"isdebuggerpresent"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.2",
|
|
"section": 5,
|
|
"title": "Deobfuscating Strings Encoded Using Simple and Common Algorithms",
|
|
"sample": "getdown.exe, hubert.dll, 9.exe",
|
|
"analysis_type": "string-deobfuscation",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract samples"
|
|
},
|
|
{
|
|
"tool_id": "xorsearch",
|
|
"platform": "linux",
|
|
"purpose": "Search for XOR-encoded patterns"
|
|
},
|
|
{
|
|
"tool_id": "strings",
|
|
"platform": "linux",
|
|
"purpose": "Extract readable strings"
|
|
},
|
|
{
|
|
"tool_id": "brxor-py",
|
|
"platform": "linux",
|
|
"purpose": "Brute-force XOR key detection"
|
|
},
|
|
{
|
|
"tool_id": "bbcrack",
|
|
"platform": "linux",
|
|
"purpose": "Detect XOR/ROL/ADD obfuscation algorithms"
|
|
},
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze deobfuscation routines in code"
|
|
},
|
|
{
|
|
"tool_id": "strdeob-pl",
|
|
"platform": "linux",
|
|
"purpose": "Decode stack-built strings"
|
|
},
|
|
{
|
|
"tool_id": "floss",
|
|
"platform": "linux",
|
|
"purpose": "Automatically extract all obfuscated strings"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "View deobfuscation results"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"xor-brute-forcing",
|
|
"stack-string-decoding",
|
|
"automated-string-extraction",
|
|
"obfuscation-algorithm-identification"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"strings",
|
|
"xor",
|
|
"deobfuscation",
|
|
"floss"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.3",
|
|
"section": 5,
|
|
"title": "Unpacking drtg.exe",
|
|
"sample": "drtg.exe",
|
|
"analysis_type": "unpacking",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample"
|
|
},
|
|
{
|
|
"tool_id": "floss",
|
|
"platform": "linux",
|
|
"purpose": "Extract strings to assess packing"
|
|
},
|
|
{
|
|
"tool_id": "visual-studio-code",
|
|
"platform": "linux",
|
|
"purpose": "View FLOSS output"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug with RtlDecompressBuffer breakpoints"
|
|
},
|
|
{
|
|
"tool_id": "scyllahide",
|
|
"platform": "windows",
|
|
"purpose": "Hide debugger from anti-debugging checks"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Verify unpacked dump"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"rtldecompressbuffer-interception",
|
|
"debugger-hiding",
|
|
"exception-configuration",
|
|
"memory-dumping"
|
|
],
|
|
"prerequisite_labs": [
|
|
"5.2"
|
|
],
|
|
"tags": [
|
|
"unpacking",
|
|
"anti-debugging",
|
|
"decompression"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.4",
|
|
"section": 5,
|
|
"title": "Unpacking WinHost32.exe",
|
|
"sample": "WinHost32.exe",
|
|
"analysis_type": "unpacking",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "unzip",
|
|
"platform": "linux",
|
|
"purpose": "Extract sample"
|
|
},
|
|
{
|
|
"tool_id": "capa",
|
|
"platform": "linux",
|
|
"purpose": "Identify process hollowing capability"
|
|
},
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze CreateProcess(SUSPENDED), VirtualAllocEx, WriteProcessMemory"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Set breakpoint on WriteProcessMemory to catch injected PE"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Verify dumped PE from process hollowing"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"process-hollowing-detection",
|
|
"create-suspended-analysis",
|
|
"writeprocessmemory-breakpoints",
|
|
"ntunmapviewofsection"
|
|
],
|
|
"prerequisite_labs": [
|
|
"5.3"
|
|
],
|
|
"tags": [
|
|
"process-hollowing",
|
|
"code-injection",
|
|
"unpacking"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.5",
|
|
"section": 5,
|
|
"title": "Examining the Anti-Sandbox Defensive Capability of vbprop.exe",
|
|
"sample": "vbprop.exe",
|
|
"analysis_type": "anti-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "ghidra",
|
|
"platform": "windows",
|
|
"purpose": "Analyze SetWindowsHookExA for mouse event interception"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug hook installation and handler"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"setwindowshookex-analysis",
|
|
"mouse-hook-detection",
|
|
"sandbox-evasion"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"anti-sandbox",
|
|
"hooks",
|
|
"evasion"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.6",
|
|
"section": 5,
|
|
"title": "Examining the Toolkit Detection Capabilities of raas.exe",
|
|
"sample": "raas.exe",
|
|
"analysis_type": "anti-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Step through toolkit detection routines"
|
|
},
|
|
{
|
|
"tool_id": "scyllahide",
|
|
"platform": "windows",
|
|
"purpose": "Hide debugger from detection checks"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"getmodulehandle-checks",
|
|
"findwindow-checks",
|
|
"process-enumeration",
|
|
"registry-vm-detection",
|
|
"blockinput-bypass"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"anti-analysis",
|
|
"toolkit-detection",
|
|
"vm-detection"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.7",
|
|
"section": 5,
|
|
"title": "Understanding the SEH Defense in want.exe",
|
|
"sample": "want.exe",
|
|
"analysis_type": "anti-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Analyze SEH chain setup and exception handler execution"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"seh-manipulation",
|
|
"exception-handler-analysis",
|
|
"fs-segment-usage",
|
|
"seh-breakpoints"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"seh",
|
|
"anti-analysis",
|
|
"exception-handling"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.8",
|
|
"section": 5,
|
|
"title": "Unpacking want.exe Using a Stack Breakpoint",
|
|
"sample": "want.exe",
|
|
"analysis_type": "unpacking",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Set stack breakpoint to detect unpacking completion"
|
|
},
|
|
{
|
|
"tool_id": "ollydumpex",
|
|
"platform": "windows",
|
|
"purpose": "Dump unpacked process from memory"
|
|
},
|
|
{
|
|
"tool_id": "scylla",
|
|
"platform": "windows",
|
|
"purpose": "Reconstruct IAT in dumped executable"
|
|
},
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Verify unpacked PE"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"stack-breakpoints",
|
|
"oep-detection-via-stack",
|
|
"memory-dumping",
|
|
"iat-reconstruction"
|
|
],
|
|
"prerequisite_labs": [
|
|
"5.7"
|
|
],
|
|
"tags": [
|
|
"unpacking",
|
|
"stack-breakpoint",
|
|
"seh"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.9",
|
|
"section": 5,
|
|
"title": "Bypassing Self-Defensive Measures in lansrv.exe",
|
|
"sample": "lansrv.exe",
|
|
"analysis_type": "anti-analysis",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Identify TLS callback in thread-local-storage section"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Debug TLS callback, patch IsDebuggerPresent, fix GS segment override"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"tls-callback-analysis",
|
|
"isdebuggerpresent-bypass",
|
|
"segment-register-patching",
|
|
"xor-decoding-loop",
|
|
"multi-defense-bypass"
|
|
],
|
|
"prerequisite_labs": [
|
|
"2.1"
|
|
],
|
|
"tags": [
|
|
"tls-callback",
|
|
"anti-debugging",
|
|
"patching",
|
|
"multi-defense"
|
|
]
|
|
},
|
|
{
|
|
"id": "5.10",
|
|
"section": 5,
|
|
"title": "Unpacking yep.exe with the Help of x32dbg and pe_unmapper",
|
|
"sample": "yep.exe",
|
|
"analysis_type": "unpacking",
|
|
"tools_used": [
|
|
{
|
|
"tool_id": "pestudio",
|
|
"platform": "windows",
|
|
"purpose": "Initial analysis \u2014 note gibberish strings indicating packing"
|
|
},
|
|
{
|
|
"tool_id": "x32dbg",
|
|
"platform": "windows",
|
|
"purpose": "Set breakpoints on LoadLibraryA and VirtualProtect"
|
|
},
|
|
{
|
|
"tool_id": "xanalyzer",
|
|
"platform": "windows",
|
|
"purpose": "Enhanced analysis showing API parameters"
|
|
},
|
|
{
|
|
"tool_id": "pe-unmapper",
|
|
"platform": "windows",
|
|
"purpose": "Convert virtual-aligned dump to raw alignment"
|
|
},
|
|
{
|
|
"tool_id": "scylla",
|
|
"platform": "windows",
|
|
"purpose": "Fix IAT in unmapped executable"
|
|
}
|
|
],
|
|
"key_techniques": [
|
|
"loadlibrary-breakpoints",
|
|
"virtualprotect-breakpoints",
|
|
"memory-region-dumping",
|
|
"virtual-to-raw-alignment",
|
|
"oep-anticipation"
|
|
],
|
|
"prerequisite_labs": [
|
|
"5.8"
|
|
],
|
|
"tags": [
|
|
"unpacking",
|
|
"pe-unmapper",
|
|
"virtualprotect",
|
|
"loadlibrary"
|
|
]
|
|
}
|
|
]
|
|
} |