Differences
This shows you the differences between two versions of the page.
|
isc:labs:06 [2024/11/11 10:50] vlad_iulius.nastase |
isc:labs:06 [2025/11/10 11:35] (current) florin.stancu [03. Ransomware] |
||
|---|---|---|---|
| Line 5: | Line 5: | ||
| **Ghid Command and Control** | **Ghid Command and Control** | ||
| - | [[https://docs.google.com/document/d/1sPfDPA6IvklVLTsZMk6FHv_vrWzu94E3qw-B3eWwSnw/edit?usp=sharing]] | + | Server docs (WIP): |
| + | * [[https://github.com/cs-pub-ro/ISC-Malware-Lab/tree/master/server]] | ||
| - | [[https://outline.vladn.st/s/fcb3a6a5-da87-40a7-872a-39ad4a9aff43]] | + | OLD (pentru instrucțiuni de comenzi): |
| + | * [[https://docs.google.com/document/d/1sPfDPA6IvklVLTsZMk6FHv_vrWzu94E3qw-B3eWwSnw/edit?usp=sharing]] | ||
| + | * [[https://outline.vladn.st/s/fcb3a6a5-da87-40a7-872a-39ad4a9aff43]] | ||
| </note> | </note> | ||
| Line 14: | Line 17: | ||
| ===== Setup ===== | ===== Setup ===== | ||
| - | For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC%20Malware%20Lab%20VM.zip|download it from here]] in advance (~12GB archived; **you will need ~30-40GB of free storage on your computer**). | + | For this lab we will use the provided Windows VM. Please [[https://repository.grid.pub.ro/cs/isc/ISC_Malware_2025_LocalVM.7z|download it from here]] in advance (~12GB archived; **you will need ~30GB of free storage on your computer**). |
| - | The VM is compatible with VMWare (Workstation and Player) >16. You can [[https://softwareupdate.vmware.com/cds/vmw-desktop/|download VMWare here]]. We recommend Workstation 17. | + | The VM should be compatible with VMWare (either Workstation or Player), VirtualBox and qemu+kvm (on x86_64!! will be very slow on Arm64). |
| + | You can [[https://softwareupdate.vmware.com/cds/vmw-desktop/|download VMWare here]]. We recommend VMWare Workstation >= 17. | ||
| <note warning> | <note warning> | ||
| Line 27: | Line 31: | ||
| If needed, we will also use [[https://cloud.grid.pub.ro/|Openstack]] (limited capacity). Use the ''%%isc_prj%%'' project and start a VM with the following specifications: | If needed, we will also use [[https://cloud.grid.pub.ro/|Openstack]] (limited capacity). Use the ''%%isc_prj%%'' project and start a VM with the following specifications: | ||
| - | * Source: Volume Snapshot -> ''%%snapshot for ISC Malware Lab%%'' (**also check ''%%Yes%%'' where it says "Delete Volume on Instance Delete"**) | + | * Source: ''%%ISC Malware Lab%%'' |
| - | * Flavor: ''%%m1.xxlarge%%'' | + | * Flavor: ''%%m1.isc_malware_lab%%'' |
| You don't need to specify an SSH key, we will be using the browser console to interact with the virtual machine. | You don't need to specify an SSH key, we will be using the browser console to interact with the virtual machine. | ||
| Line 159: | Line 163: | ||
| - | Ransomware is a type of malware that encrypts documents and files on your computer, demanding a ransom to obtain a decryption key or program. In our case, the entire content of the ''%%very_important_documents%%'' folder on your Desktop has been encrypted. | + | Ransomware is a type of malware that encrypts documents and files on your computer, demanding a ransom to obtain a decryption key or program. In our case, the entire content of the ''%%very_secret_documents%%'' folder on your Desktop has been encrypted. |
| But is there any way you can recover those files? Since we presume the attacker has a decryption key for your files, that means the ransomware must communicate in some way. Try and use Wireshark to see if any traffic seems out of the ordinary. | But is there any way you can recover those files? Since we presume the attacker has a decryption key for your files, that means the ransomware must communicate in some way. Try and use Wireshark to see if any traffic seems out of the ordinary. | ||
| Line 167: | Line 171: | ||
| **FLAG 3 [20p]** | **FLAG 3 [20p]** | ||
| - | Try and find the decryption key. | + | Try and find the decryption key. Try to capture some DNS queries? |
| </note> | </note> | ||
| Line 237: | Line 241: | ||
| ===== 05. [Bonus] Anti-reversing techniques ===== | ===== 05. [Bonus] Anti-reversing techniques ===== | ||
| - | If you were brave enough to try and decompile the executables, you might have noticed they look like gibberish. If not, use Ghidra to have a look at one of the executables. | + | <del>If you were brave enough to try and decompile the executables, you might have noticed they look like gibberish. If not, use Ghidra to have a look at one of the executables.</del> |
| - | The executables are missing any symbols and the code seems very hard to understand. That is because they are packed using [[https://upx.github.io/|UPX]]. While UPX is an executable packer, meant to be used for executable compression, it is also commonly used to make reverse engineering harder. | + | <del>The executables are missing any symbols and the code seems very hard to understand. That is because they are packed using [[https://upx.github.io/|UPX]]. While UPX is an executable packer, meant to be used for executable compression, it is also commonly used to make reverse engineering harder.</del> |
| - | The good news is that you can also unpack it using UPX. It is already installed in your VM, so give it a try. | + | **Unfortunately**, we forgot to pack the binaries with UPX :( try to pack & unpack them manually instead ;) |
| + | The UPX utility is already installed in your VM (inside Tools), so give it a try. | ||
| After unpacking it, try to decompile it again using Ghidra. Does it look a little bit more readable? | After unpacking it, try to decompile it again using Ghidra. Does it look a little bit more readable? | ||
