Falcon ‐ Next‐gen antivirus - mluchettii/internship-portfolio GitHub Wiki
Table of Contents
Malware detection
Downloading trojan malware from The-MALWARE-Repo on GitHub.
CrowdStrike Falcon Sensor detects the malware immediately (bottom right).
Malware detection details
Most recent detections.
Quarantined files section. From here, I can read details on each file.
As I scroll down the details, I can see that the triggering indicator was an Associated IOC. More on this later.
This is the Activity dashboard that displays very useful information in regard to malware detections. Here, I clicked to see the full details on the latest detection.
Triage
Describe the incident
The details show that the detection originated from the msedge.exe process, but that the triggering indicator was the file Zika.exe located in the Downloads folder. An analyst can deduce that the prevalence of the malicious file being in the Downloads folder, and originating from a Microsoft Edge process, that the end user was the primary cause for the incident.
Investigate the hash using VirusTotal to determine its threat level
Here, I am going to copy the SHA256 hash value for this file and investigate it.
I pasted the hash value into VirusTotal's search bar. This will show me the origin of the file and its threat level.
As expected, the file is very well-known malware.
Detonate the file in an ANY.RUN virtual sandbox environment
In another exercise, I used another OSINT tool called ANY.RUN to see the extent of the damage if I were to launch one of these trojan samples.
ANY.RUN shows what the program actually does in the background as it's being detonated. Here, it warned of malicious code execution through cmd.exe.