LetsDefend Challenge Malware Analysis: Presentation As a Malware
LetsDefend Challenge Malware Analysis: Presentation As a Malware
- What was the general name / category of the malicious file in the analyzed ppt file?
- Which of the url addresses it communicates with has been detected as harmful by sandboxes?
- What is the name of the htm file that drops to disk?
- Which process is running to persistent under mshta.exe after the relevant malware runs?
- If there was a snort IDS in the environment at the time of the incident, which rules would it match?
What was the general name / category of the malicious file in the analyzed ppt file?
今回与えられたファイルのハッシュをvirus totalで検索する.
Hint: XX:YYYYY
ヒントの形式に合わせて.
A: VB:Trojan
Which of the url addresses it communicates with has been detected as harmful by sandboxes?
与えられたファイルに含まれるvbaを確認した.
難読化解除は面倒なので,virus totalのレポートを確認した.
What is the name of the htm file that drops to disk?
virus totalのレポートにて,RELATIONSタブを確認すると,
A: hdkjashdkasbctdgjsa[1].htm
Which process is running to persistent under mshta.exe after the relevant malware runs?
virus totalだけでは,よく分からなかったので他のものも参照する.
A: schtasks.exe
If there was a snort IDS in the environment at the time of the incident, which rules would it match?
virus totalにログインするとCrowdsourcedで引っかかったルール名も確認できる.
A: EVENT_CTE_HEADER