LetsDefend Challenge Malware Analysis: Presentation As a Malware

• What was the general name / category of the malicious file in the analyzed ppt file?
• Which of the url addresses it communicates with has been detected as harmful by sandboxes?
• What is the name of the htm file that drops to disk?
• Which process is running to persistent under mshta.exe after the relevant malware runs?
• If there was a snort IDS in the environment at the time of the incident, which rules would it match?

What was the general name / category of the malicious file in the analyzed ppt file?

今回与えられたファイルのハッシュをvirus totalで検索する．

Hint: XX:YYYYY

ヒントの形式に合わせて．
A: VB:Trojan

Which of the url addresses it communicates with has been detected as harmful by sandboxes?

与えられたファイルに含まれるvbaを確認した．

What is the name of the htm file that drops to disk?

virus totalのレポートにて，RELATIONSタブを確認すると，

Which process is running to persistent under mshta.exe after the relevant malware runs?

virus totalだけでは，よく分からなかったので他のものも参照する．

If there was a snort IDS in the environment at the time of the incident, which rules would it match?

virus totalにログインするとCrowdsourcedで引っかかったルール名も確認できる．