Back to Walkthroughs
Presentation as a Malware
Let's Defend Malware Analysis [Easy]Easy

Presentation as a Malware

#tutorial

Challenge description

image image

Solution and Analysis

The challenge provides a password-protected archive containing a malicious PowerPoint file. The first step is to extract the file and then we can begin the analysis to answer the questions.

Question 1 What was the general name / category of the malicious file in the analyzed ppt file?

To identify the malware, we first calculate its MD5 hash. This unique identifier allows us to check for existing analysis in databases like VirusTotal.

md5sum PO#00187.ppt
1dadb4c3fe45566d28b7156be2e2aa6b  PO#00187.ppt

Submitting the hash 1dadb4c3fe45566d28b7156be2e2aa6b to VirusTotal shows that the file has been analyzed before. The detection names from various antivirus engines give us a general classification

image

Based on the results, a common name/category for this threat is VB:Trojan.

Question 2 Which of the url addresses it communicates with has been detected as harmful by sandboxes?

To find associated network indicators, we can inspect the Relations tab in the VirusTotal report.

Under the "Contacted URLs" section, we can find URLs that the malware attempts to communicate with. The malicious URL is the one with a high number of positive detections from security vendors.

image

Question 3 What is the name of the htm file that drops to disk?

the .htm file can be found under the same relations tab under the Dropped files category

Which process is running to persistent under mshta.exe after the relevant malware runs?

Persistence mechanisms can be identified by examining the dynamic analysis report in the Behavior tab on VirusTotal.

This tab details the malware's actions upon execution, including process creation. The report shows that mshta.exe is used to execute a script that, in turn, creates a scheduled task using schtasks.exe. This action ensures the malware runs automatically, establishing persistence on the system. The key process used to create this persistence is schtasks.exe.

Question 5 If there was a snort IDS in the environment at the time of the incident, which rules would it match?

The Behavior tab also aggregates network-based detection signatures. The "Crowdsourced IDS Rules" section lists Snort rules that would trigger if the malware's network traffic were monitored by an Intrusion Detection System (IDS).

image