Scenario 1
Your incident response team has quarantined a suspicious bin file. The team thinks it is a ransomware variation. Investigate and create indicators for the file.
You can find the shellcode under C:\Users\Jon\Documents\Scenarios\Scenario 1
Scenario 2
You have been assigned to analyze this week's quarantined files. The file is thought to be an unknown trojan or a new strain of the emotet malware. Investigate and create indicators for the file.
You can find the shellcode under C:\Users\Jon\Documents\Scenarios\Scenario 2
Answer the questions below
Read the above and complete the investigations
How to: So even though this doesn’t require an answer, you need to do investigation on the two scenario files. Open up your favorite text editor, you will use this to document your findings as you check out this two possible malicious files. Going to each folder in turn you can right click on the file and in the drop down menu go to properties, this will give you most of the information you will need. Record in the text editor the following: File Name, File Type, Size, Size on Disk, Date Created, and file path. Now that you have all that info for both files you can now open up the program WinMD5free. Click on the Browse button to the right of the pop-up box, you can copy and paste the file path in or just click on documents, scenarios, scenario 1, and then the file. Copy the MD5 hash over to the text editor, now do the same thing but for the file in the scenario 2 folder. now the last thing to do is run strings. Click on the start icon in the bottom left corner, in the search type cmd and hit enter to open command prompt. Use the command ./strings.exe “C:\Users\Jon\Documents\Scenarios\Scenario 1\29D6161522C7F7F21B35401907C702BDDB05ED47.bin” -accepteula > “C:\Users\Jon\Documents\Scenarios\Scenario 1\output.txt” . This will save the output to a text file in the scenario 1 folder. Now use this command for the second file ./strings.exe “C:\Users\Jon\Documents\Scenarios\Scenario 2\cryptowall.bin” -accepteula > “C:\Users\Jon\Documents\Scenarios\Scenario 2\output.txt” . Now that you have completed you investigation you can answer the question for this task.
Answer: No Answer Needed.What is the name of the file from Scenario 1?
How to: Found this answer while doing the investigation.
Answer: 29D6161522C7F7F21B35401907C702BDDB05ED47.bin
What is the size of the file from Scenario 1 in bytes?
How to: Found this answer while doing the investigation.
Answer: 96,535
What is the size on disk of the file from Scenario 1 in bytes?
How to: Found this answer while doing the investigation.
Answer: 98,304
What is the MD5 hash of the file from Scenario 1?
How to: Found this answer while doing the investigation.
Answer: 8baa9b809b591a11af423824f4d9726a
What is the name of the file from Scenario 2?
How to: Found this answer while doing the investigation.
Answer: cryptowall.bin
What is the size of the file from Scenario 2 in bytes?
How to: Found this answer while doing the investigation.
Answer: 246,272
What is the size on disk of the file from Scenario 2 in bytes?
How to: Found this answer while doing the investigation.
Answer: 249,856
What is the MD5 hash of the file from Scenario 2?
How to: Found this answer while doing the investigation.
Answer: 47363b94cee907e2b8926c1be61150c7
Create IOCs for both files using IOCe.
How to: No Answer Needed.
Answer: No Answer Needed.
No comments:
Post a Comment