Yara101 Lab - CyberDefenders

Introduction

Instructions:

- Ensure that there are no blockers, such as Adblock extensions, that might prevent the lab from opening in a new tab or affect lab’s functionality.
- All the lab-related files and tools are on the desktop in 'Start here' directory.
- Note: verify command will take around 2 minutes to run the first time.

Scenario:

Recent intelligence reports have raised alarms about advanced variants of known malware strains on critical infrastructures in the Middle East. Gleanings from underground forums suggest these enhanced variants might result from collaboration between multiple threat actor groups.

As a Detection Engineer, your task is to analyze the provided malware samples, identify the unique characteristics of these samples, and create YARA rules to detect all potential variants. Your findings will be important in safeguarding regional assets and understanding the depth of this evolving cyber threat.

Tools:

- Stringsifter
- Strings
- ilspy
- Yara

CyberDefenders: Blue team CTF Challenges | Yara101

Q1

As you begin your analysis of the malware samples, understanding the category of the malware will provide insight into its potential behavior and threat. What category does the first malware belong to?

Sử dụng lệnh flarestrings được cung cấp và output chúng ra một file txt (tôi luôn cẩn thận lưu lại tránh phải chạy lại chúng). Tìm kiếm bên dưới và chúng ta thấy ransomnote. Ngoài ra còn có những API Crypt liên quan đến dòng mã độc ransomware.

ransomware

Q2

After encrypting the victim’s files, the ransomware leaves behind a .txt note directing victims to a payment link accessible usually via the Tor browser. What is this link?

Câu trả lời nằm trong ransomnote.

http://lockbitks2tvnmwk.onion/

Q3

Having pinpointed a unique Indicator of Compromise (IOC) from the malware strains, developing a YARA rule for detection is crucial. Once you’ve crafted your rule, refer to the README.txt file on your lab machine for instructions on verifying its effectiveness. What’s the level 1 flag?

Tôi có thể viết rule chặt hơn, nhưng với thử thách này thì url ở Q2 là đủ để lấy flag.

yara_level_1_completed_4de1e9160

Q4

Moving forward with your analysis, you turn your attention to the second malware family. What category do these samples fall under?

Yea, wallet SteamLogin Data là quá đủ để xác nhận rằng chúng là chủng loại stealer

stealer

Q5

To determine the potential damage and intent of the malware, it’s crucial to understand the data it targets. From your analysis of the 1st sample of this malware family, which application related to FTP connections has its credentials targeted for theft by the malware?

Thử search FTP trong file đã lưu, ngay bên dưới nhận thấy rằng chúng nhắm đến ứng dụng FileZilla

FileZilla

Q6

As part of your ongoing analysis, search for the application name (identified in the previous step) within the strings of the other malware samples. What is the name of the sample that does not contain this application name?

Ở đây thay vì dùng flarestrings thì phải dùng strings (flarestrings theo mô tả: A machine learning tool that ranks strings based on their relevance for malware analysis.)

sample_2

Q7

Continuing with your investigation, you turn to the last unidentified malware sample. This family is reputed for targeting browser extensions, especially those linked to cryptocurrencies. Can you identify the base64 encoded string within the sample that contains the names of these extensions?

Tiếp tục dùng flarestrings và nhận thấy chuỗi kí tự rất dài (ở thời điểm viết bài tôi không tìm được các view wordwrap).

Không thể tìm được CyberChef trong thư mục Tools (như trong file README đề cập) nên tôi quyết định sử dụng online bằng máy của mình.

ZmZuYmVsZmRvZWlvaGVua2ppYm5tYWRqaWVoamhhamJ8WW9yb2lXYWxsZXQKaWJuZWpkZmptbWtwY25scGVia2xtbmtvZW9paG9mZWN8VHJvbmxpbmsKamJkYW9jbmVpaWlubWpiamxnYWxoY2VsZ2Jlam1uaWR8TmlmdHlXYWxsZXQKbmtiaWhmYmVvZ2FlYW9laGxlZm5rb2RiZWZncGdrbm58TWV0YW1hc2sKYWZiY2JqcGJwZmFkbGttaG1jbGhrZWVvZG1hbWNmbGN8TWF0aFdhbGxldApobmZhbmtub2NmZW9mYmRkZ2Npam5taG5mbmtkbmFhZHxDb2luYmFzZQpmaGJvaGltYWVsYm9ocGpiYmxkY25nY25hcG5kb2RqcHxCaW5hbmNlQ2hhaW4Kb2RiZnBlZWloZGtiaWhtb3BrYmptb29uZmFubGJmY2x8QnJhdmVXYWxsZXQKaHBnbGZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58R3VhcmRhV2FsbGV0CmJsbmllaWlmZmJvaWxsa25qbmVwb2dqaGtnbm9hcGFjfEVxdWFsV2FsbGV0CmNqZWxmcGxwbGViZGpqZW5sbHBqY2JsbWprZmNmZm5lfEpheHh4TGliZXJ0eQpmaWhrYWtmb2JrbWtqb2pwY2hwZmdjbWhmam5tbmZwaXxCaXRBcHBXYWxsZXQKa25jY2hkaWdvYmdoZW5iYmFkZG9qam5uYW9nZnBwZmp8aVdhbGxldAphbWttamptbWZsZGRvZ21ocGpsb2ltaXBib2ZuZmppaHxXb21iYXQKZmhpbGFoZWltZ2xpZ25kZGtqZ29ma2NiZ2VraGVuYmh8QXRvbWljV2FsbGV0Cm5sYm1ubmlqY25sZWdrampwY2ZqY2xtY2ZnZ2ZlZmRtfE1ld0N4Cm5hbmptZGtuaGtpbmlmbmtnZGNnZ2NmbmhkYWFtbW1qfEd1aWxkV2FsbGV0Cm5rZGRnbmNkamdqZmNkZGFtZmdjbWZubGhjY25pbWlnfFNhdHVybldhbGxldApmbmpobWtoaG1rYmpra2FibmRjbm5vZ2Fnb2dibmVlY3xSb25pbldhbGxldAphaWlmYm5iZm9icG1lZWtpcGhlZWlqaW1kcG5scGdwcHxUZXJyYVN0YXRpb24KZm5uZWdwaGxvYmpkcGtoZWNhcGtpampka2djamhraWJ8SGFybW9ueVdhbGxldAphZWFjaGtubWVmcGhlcGNjaW9uYm9vaGNrb25vZWVtZ3xDb2luOThXYWxsZXQKY2dlZW9kcGZhZ2pjZWVmaWVmbG1kZnBocGxrZW5sZmt8VG9uQ3J5c3RhbApwZGFkamtma2djYWZnYmNlaW1jcGJrYWxuZm5lcGJua3xLYXJkaWFDaGFpbgpiZm5hZWxtb21laW1obHBtZ2puam9waGhwa2tvbGpwYXxQaGFudG9tCmZoaWxhaGVpbWdsaWduZGRramdvZmtjYmdla2hlbmJofE94eWdlbgptZ2Zma2ZiaWRpaGpwb2FvbWFqbGJnY2hkZGxpY2dwbnxQYWxpV2FsbGV0CmFvZGtrYWduYWRjYm9iZnBnZ2ZuamVvbmdlbWpiamNhfEJvbHRYCmtwZm9wa2VsbWFwY29pcGVtZmVuZG1kY2dobmVnaW1ufExpcXVhbGl0eVdhbGxldApobWVvYm5mbmZjbWRrZGNtbGJsZ2FnbWZwZmJvaWVhZnxYZGVmaVdhbGxldApscGZjYmprbmlqcGVlaWxsaWZua2lrZ25jaWtnZmhkb3xOYW1pV2FsbGV0CmRuZ21sYmxjb2Rmb2JwZHBlY2FhZGdmYmNnZ2ZqZm5tfE1haWFyRGVGaVdhbGxldApiaGdob2FtYXBjZHBib2hwaGlnb29vYWRkaW5wa2JhaXxBdXRoZW50aWNhdG9y

Q8

With the insights you’ve gathered from the malware samples, craft a comprehensive YARA rule that can detect all four samples. Utilize the strings and string offsets condition in yara rules. After formulating your rule, consult the README.txt file on your lab machine to validate its precision and reliability. Upon successful verification, what’s the level 2 flag you obtained?

Ở đây tôi chỉ dùng strings Software\\Valve\\SteamLogin Data. Bạn có thể dùng các chuỗi khác nhưng đảm bảo hãy kiểm tra thử với cả 4 mẫu được cho.

yara_level_2_completed_f17312f7d