Lab Setup And Cursory Analysis - ConnorEast/Tech-Journal GitHub Wiki
None of the files related to this lab are allowed to be uploaded and as such here is a synapsis of the steps which occured during the setup proccess for this assignment. Anything may be changed at any time depending on the whims of your specific professor.
Following this we then did some minor research on YARA files before downloading Llamafile and running it natively through command prompt. to run it use ".\google_gemma-3-12b-it-Q4_K_M.exe -ngl 0" or ".\google_gemma-3-12b-it-Q4_K_M.exe". Using the AI I asked it a question to create a YARA search. Below is what I got as a response
NAOX2
NAOX2
NAOX2
NAOX2
NAOX2
| Zip Files | sha256 | Official Website |
|---|---|---|
| Browmal | d96f2b96e5d35991cda38971c2c13b4d89eb6a575c50db1e223bb46f10f5ec88 | https://github.com/thedunston/browmal/ |
| floss | 6c71089b8c629c69424b042769f1565f71adc6cd24b2f8d3713c96fa7fdac2fb | https://github.com/mandiant/flare-floss |
| pestudio | c1e2d0c1fbf5951486cf3d850cc24b11b66e25e0a5b77a623e2eb13ffad9ddd9 | https://www.winitor.com/ |
| Sigcheck | 96efa256749fde2ef157baee9677e417047a0d77325ad97ca800fa10c4bf0dbf | https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck |
| Strings | b1a0a3dc5f639af1c98ae5832676727646eb3d543640e65e310dff747e733a25 | https://learn.microsoft.com/en-us/sysinternals/downloads/strings |
| upx-5.0.2-win64 | 4f1f3df0b2af164507541544325b89395723bbdc | https://upx.github.io/ |
| yara-master-v4.5.4-win64> | 60a536027e94b0b4093f2911a7a22324c4db0cff | https://virustotal.github.io/yara/ |
| EXE Files | sha256 | Official Website |
|---|---|---|
| pestudio.exe | 137296fc58b67b28e67830576ff1dde4fdcd68228066af39a642b0cf7b1387a0 | https://www.winitor.com/ |
| capa.exe | 174ab9479619016b10cf2e86ad2d8ab8d34ffb65b0b91ba65e27d037a86c24a4 | https://github.com/mandiant/capa |
| floss.exe | 3a208ab834b4791e81592d66e91a7f07b3458504484d87c44ed32bc7384df7ef | https://github.com/mandiant/flare-floss |
| Strings.exe | a7553d77edca85bec980e38e69bf0e9f36962f20be0ee759e9a96030d519c5a0 | https://learn.microsoft.com/en-us/sysinternals/downloads/strings |
| Strings64.exe | 05dbb43499bcff44424c7ac2d987ea9e9742cd90afe360e84ba0bccade17f71b | https://learn.microsoft.com/en-us/sysinternals/downloads/strings |
| Strings64a.exe | https://learn.microsoft.com/en-us/sysinternals/downloads/strings | https://learn.microsoft.com/en-us/sysinternals/downloads/strings |
| ExplorerSuite.exe | 94f4348ec573b05990b1e19542986e46dc30a87870739f5d5430b60072d5144d | https://ntcore.com/explorer-suite/ |
| upx.exe | 3638bfe45ee552b57dc8c5af39c5e0f317ff83748dbf6326a0cdcccb2fd52da4 | https://upx.github.io/ |
| yarac64.exe | 6f69a14820e750b22662dc9339bfd22b9cfe51877c4103b6863f48efe6db956e | https://virustotal.github.io/yara/ |
| yara64.exe | 70ad6fa681d6878e717e31cb58668c7b8936f74775ec328dee86b07f83a54545 | https://virustotal.github.io/yara/ |
| Sigcheck.exe | 4fe9a2bd4b160a5352333d00d0b0c10f13685af7acdb48e9e9d0c3877a19eed4 | https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck |
| Sigcheck64.exe | 5d9e06ba65bb4d365e98fbb468f44fa8926f05984bf1a77ec7b1df19c43dc5ef | https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck |
| sigcheck64a.exe | 664b41f1ee3e76b68e0887b338dd8f56e222780b12aaf97bbffddbaadce119ae | https://learn.microsoft.com/en-us/sysinternals/downloads/sigcheck |
| [browmal] Index.html | 36616d526623c16b6129a21bb3eb05db8c171abc567da9c992da11952c2946a3 | https://github.com/thedunston/browmal/ |
| [browmal] wasm_exec.js | 45ce9dfe7211247544ab6f4268eb8cb5b6f3d5ae602dc3b51447b7eada99c229 | https://github.com/thedunston/browmal/ |
Following this we then did some minor research on YARA files before downloading Llamafile and running it natively through command prompt. to run it use ".\google_gemma-3-12b-it-Q4_K_M.exe -ngl 0" or ".\google_gemma-3-12b-it-Q4_K_M.exe". Using the AI I asked it a question to create a YARA search. Below is what I got as a response
rule PE_Executable
{
meta:
description = "Detects Portable Executable files (PE)"
author = "AI Assistant"
date = "2024-10-27"
strings:
$pe_header = "MZ" ascii wide // Magic number for PE files
$pe_header2 = "PE" ascii wide
$import_directory = "kernel32" ascii wide
$import_directory2 = "ntdll" ascii wide
$data_directory = "DATA" ascii wide
$resource_directory = "RSRC" ascii wide
condition:
$pe_header and
(
$import_directory or
$import_directory2 or
$data_directory or
$resource_directory
)
}
NAOX2
| File name | APHostRes.dll.mui |
| File size | 9 KB |
| File type | .mui |
| MD5 | b2d6f1d76d3fadbf48c5a94419ca19eb |
| SHA1 | a50140aa7846887ff5ea1facba246ccf3b4b252f |
| SHA256 | a1facf4f284f23f465d070af834f57ace4bbd250c52568ac7e74267ce2529540 |
| SSDeep | NA |
| ImpHash | NA |
| Packer / compiler info | NA |
| Compile time | NA |
| Number of Sections | OX2 |
| File Entropy | 5.1941 |
| Packer/Encryption Detected? | NA |
| File extension match Magic Header? | ox5A4D |
| New Exe Header Value | oxBo |
| File name | cdosys.dll.mui |
| File size | 34.5 KB |
| File type | .mui |
| MD5 | 4c42940eba51e81dad399f185181247b |
| SHA1 | dd09d32a2c5d8915adee929fed9b3ebbaa186ea8 |
| SHA256 | a8502d75a3e5af75199a5ce0fb10f85a379af3ce3ce4b04dcc44731497a1959b |
| SSDeep | NA |
| ImpHash | NA |
| Packer / compiler info | NA |
| Compile time | NA |
| Number of Sections | OX2 |
| File Entropy | 4.6218 |
| Packer/Encryption Detected? | NA |
| File extension match Magic Header? | 0x5A4D |
| New Exe Header Value | 0xB0 |
| File name | comctl32.dll.mui |
| File size | 5 KB |
| File type | .mui |
| MD5 | 9a4f0bc86552d548db7174388c2d0398 |
| SHA1 | c608684f26e791f4930c72743f8f72368945d03f |
| SHA256 | e5090ad836cdb7cdab5c7e4748117c371218d39ce5e395f25386da5169a55ffc |
| SSDeep | NA |
| ImpHash | NA |
| Packer / compiler info | NA |
| Compile time | NA |
| Number of Sections | OX2 |
| File Entropy | 3.8501 |
| Packer/Encryption Detected? | NA |
| File extension match Magic Header? | 0x5A4D |
| New Exe Header Value | 0xB0 |
| File name | comdlg32.dll.mui |
| File size | 44 KB |
| File type | .mui |
| MD5 | 51bf41c750a1527c167a54fc5046bc20 |
| SHA1 | e518ae156855cf7f08002d0274aa645de2033111 |
| SHA256 | ecc08ccfc4bfcf913323c5650468422197940dd34ecb7ab7e28e53dbf99ad6e6 |
| SSDeep | NA |
| ImpHash | NA |
| Packer / compiler info | NA |
| Compile time | NA |
| Number of Sections | OX2 |
| File Entropy | 4.3144 |
| Packer/Encryption Detected? | NA |
| File extension match Magic Header? | 0x5A4D |
| New Exe Header Value | 0xB0 |
| File name | Windows.Media.Speech.UXRes.dll.mui |
| File size | 6.5 KB |
| File type | .mui |
| MD5 | 4f55758e2b5d9a814a7fb7e08fb5d58b |
| SHA1 | 92de62d664e3c99dab8f6ce8d33392d1850d98aa |
| SHA256 | 1feae3acb89cdab97dc2aa10479f2900c999847e2ae87cb9dfe7cb95b06db586 |
| SSDeep | NA |
| ImpHash | NA |
| Packer / compiler info | NA |
| Compile time | NA |
| Number of Sections | OX2 |
| File Entropy | 4.2541 |
| Packer/Encryption Detected? | NA |
| File extension match Magic Header? | 0x5A4D |
| New Exe Header Value | 0xB0 |
- A PDF with a .exe file in the same file location is suspicious. The fact its in a zipped file indicates an attempt to get around windows defender.
- It creates a directory and sets a file in schedule tasks. My assumption based on the information relayed by Browmal would be that this is likely a c2c server setup malware. IF I am incorrect then it is a Remote Access Trojan. Svchost is an actual windows system process which according to [pcrisk.com](http://pcrisk.com/) can be infected or malware can be made to look like a legitimate service