This repository contains a Malware Analysis Scenario written by me. The scenario is suitable for blue investigation teams and is designed to run in a Windows environment. You can take these files, modify them as you like, customize them for your investigative environment, and start the challenge! The scenario is built from three files:
This shellcode downloads two more files: logo.png and Win.exe, and eventually runs Win.exe.
You can add the file shellcode.txt as a new section in some legitimate installation file and change the execution flow (to be more realistic), or you can just run it as is.
This is a simple photo that includes a PE file in shellcode format ready for injection, located after the string FLAG at the end of the PNG format.
This executable collects basic information about the victim's computer, such as internet connection details, language, etc. All data is saved in a text file named after the victim's PC name.
I used the amazing tool pe_to_shellcode by @hasherezade & @hh86 that "converts PE so that it can be then injected just like a normal shellcode." Here is a link to their repo: https://github.com/hasherezade/pe_to_shellcode
The output file (collect_info.shc.exe) resides inside the logo.png file mentioned earlier.
The purpose of this file is to extract shellcode from the image logo.png and inject it into the notepad.exe process. The injection is done using the Thread Hijacking technique.
Anti-Debugging - Uses NtQueryInformationProcess to check the isDebug flag in the process PEB structure. This function is defined with attribute((constructor)), which enables the function to run before the main function.
Anti-VM - Looks for known processes that run on every VMWare machine. If found, the process terminates.
Encoded strings - Important strings like the target process to inject and VMWare process name are XORed with the key "Kernel32.dll".