A few (script based) malware samples to unpack, intended for blueteam training. There are 10 samples in total that gets progressively more difficult. Solutions provided in the teachers .ZIP file.
- XtrExcercise_Student.zip = Contains the student parts, no solutions are included just the initial file.
- XtrExcercise_Teachers.zip = Contains all files including extracted files for comparison.
Password for the .ZIP files containing malware is kebabsauce without sauce
PLEASE NOTE that:
- The files included in the .ZIP files are recently collected malware samples (as of August 2019), some may still have a 0/n detection rate on Virustotal so be VERY careful when playing around with them. It is highly recommended to use an isolated VM to do the unpacking.
- All samples should be identifyable with Virustotal, so use a hash to query Virustotal for info of the specific malware.
- All files in the archives has the extention ".bin" and are not executable. It's your own responsibility to keep them that way.
This is only ment to be an introduction thing to malware unpacking and it has a best before date as attackers change their tactics all the time.
Required tools
- Virtualbox or VMWare player (both are free for personal use)
- A string reverser (Included in "XtrTools.zip")
- A HEX string 2 Binary converter (Included in "XtrTools.zip")
- A Decimal array 2 Binary converter (Included in "XtrTools.zip")
- File identification type program (Included in "XtrTools.zip")
- A binary XOR capable program (Included in "XtrTools.zip")
- Base 64 decoder (Certutil -decode works fine).
- 7Zip.
- GZip.
- A text editor to do search/replace with.
- Hashing program (Sha1, Sha256, MD5. SSDeep is also useful).
Certutil can be used to produce file hashes:
- Certutil -hashfile FILENAME md5 | find /i /v "hash"
- Certutil -hashfile FILENAME sha1 | find /i /v "hash"
- Certutil -hashfile FILENAME sha256 | find /i /v "hash"
Linux distros usually have md5sum, sha1sum, sha256sum out of the box.