First Part

Rezultate Test

The lab test will take place on the 11th of November (2024) at 16:05 AM. Its duration will be 20 minutes. You will each get an executable file which you will have to execute with a parameter. The parameter will be the number assigned to your name in the list on the right. For example if your name is "Dragos Gavrilut" you will run the test file like this:

C:\> test.exe 31

The executable file will be available here on the site, in a downloadable zip file. The password for the zip file will be given at the time of the test on the Discord Group.

The answers for the behavioral analysis of the executable and the "password" will be written in a .txt file and submitted on discord directly to me, in private, no later than 16:30 AM. The format of the answer file should be similar to the ones I've posted on the site for the lab POCs.

After all your submissions, stay tuned on the Discord Group for a bonus round. (only one winner). The bonus will be announced right before the test.

Important:

Make sure you have a clean Windows XP snapshot and run the test on it.

Make sure you have C++ redist installed.

Make sure you have all tools necessary on the VM.

Make sure you run the executable file after you have copied it on the VM (not from the share folder)

DO NOT ONLY SUBMIT THE PASSWORD

Make sure you write answers as you find them, because at any time the Windows XP may crash (BSOD)

test.zip

In the first part of the laboratory we will learn how to analyze the behavior of some POCs (Proof of Concept). We will use the Sysinternals suite to track the activity of these files. These POCs will be uploaded here on the website.

poc1.zip

The password for the .zip file and the message of this POC is posted on the Discord Group.

1. The executable checks if "C:\\bd_training.txt" and "C:\\ceva.txt" exist

2. The executable traverses the whole "C:\" partition and:

i. creates files with the name "X.txt" in every directory

ii. creates files having as their name a letter from the password every 5 directories entered

iii. makes a copy of dll's encountered switching their extension to ".exe"

iiii. makes a copy of bmp's encountered switching their extension to ".locked"

The password is:

"prima parte din parola pentru primul lot de email-uri este \"infected\""

poc2.zip

The password for the .zip file and the message of this POC is posted on the Discord Group.

1. The executable checks if "C:\\bd_training.txt" exists

2. The executable traverses the whole "C:\" partition and:

i. creates files with the name "dummy.txt" in every third directory encountered

ii. creates folders with the names of the files that have these extensions: .wav .hlp .wma

iii. it copies itself in these newly created folders using a letter from the password for its name

The password is:

"the second part of the password for the first email lot is \"emails\""

poc3.zip

The password for the .zip file and the message of this POC is posted on the Discord Group.

1. The executable checks if "C:\\bd_training.txt" exists

2. poc3.exe:

i. copies itself in "C:\\same_process_different_name.exe"

ii. runs this newly created file with the parameter "parametru"

3. C:\\same_process_different_name.exe ran with the parameter traverses the whole "C:\" partition and:

i. creates files with the name "parametru" in every third directory encountered

ii. creates folders with the names of the files that have these extensions: .wav .hlp .wma

iii. it copies itself in these newly created folders using a letter from the password for its name

The password is:

"the first part of the password for the second email lot is \"malicious\""

poc4.zip

The password for the .zip file and the message of this POC is posted on the Discord Group.

1. The executable checks if the path "C:\\bd_training.txt" exists

2. Ran without parameters:

- recursively traverses C:\\ and creates files named "test" in random folders

- recursively traverses C:\\ and when it find files with the extensions ".wav", ".mp3" ".wma", it creates a folder with these files name +".directory" and inside it creates a file with the name made out of a letter from the first quarter of the password

- it copies itself into the file "same_process_different_name.exe" and it executes it with the parameter "first"

3. Ran with parameter "first":

- recursively traverses C:\\ and creates files named "first" in random folders

- recursively traverses C:\\ and when it find files with the extensions ".wav", ".mp3" ".wma", it creates a folder with these files name +".directory" and inside it creates a file with the name made out of a letter from the second quarter of the password

- it copies itself into the file "different_process.exe" and it executes it with the parameter "second"

4. Ran with parameter "second":

- recursively traverses C:\\ and creates files named "second" in random folders

- recursively traverses C:\\ and when it find files with the extensions ".wav", ".mp3" ".wma", it creates a folder with these files name +".directory" and inside it creates a file with the name made out of a letter from the third quarter of the password

- it copies itself into the file "alternate_process.exe" and it executes it with the parameter "third"

5. Ran with parameter "third":

- it opens iexplore.exe to a web page, the web page's name is the last part of the password.

- sleeps

- runs taskkill on iexplore.exe which closes all opened iexplore processes

The password:

"the second part of the password for the second email lot is \"letters\""