Table of Contents

• Malware detection
  • Malware detection details
• Triage
  • Describe the incident
  • Investigate the hash using VirusTotal to determine its threat level
  • Detonate the file in an ANY.RUN virtual sandbox environment

Malware detection

Downloading trojan malware from The-MALWARE-Repo on GitHub.

CrowdStrike Falcon Sensor detects the malware immediately (bottom right).

Malware detection details

Most recent detections.

Quarantined files section. From here, I can read details on each file.

As I scroll down the details, I can see that the triggering indicator was an Associated IOC. More on this later.

This is the Activity dashboard that displays very useful information in regard to malware detections. Here, I clicked to see the full details on the latest detection.

Triage

Describe the incident

The details show that the detection originated from the msedge.exe process, but that the triggering indicator was the file Zika.exe located in the Downloads folder. An analyst can deduce that the prevalence of the malicious file being in the Downloads folder, and originating from a Microsoft Edge process, that the end user was the primary cause for the incident.

Investigate the hash using VirusTotal to determine its threat level

Here, I am going to copy the SHA256 hash value for this file and investigate it.

I pasted the hash value into VirusTotal's search bar. This will show me the origin of the file and its threat level.

As expected, the file is very well-known malware.

Detonate the file in an ANY.RUN virtual sandbox environment

In another exercise, I used another OSINT tool called ANY.RUN to see the extent of the damage if I were to launch one of these trojan samples.

ANY.RUN shows what the program actually does in the background as it's being detonated. Here, it warned of malicious code execution through cmd.exe.