Insider

Always open malware in a secure environment like a VM.

We will be using the REMnux distribution which is specifically made for reverse engineering.

Q1. What distribution of Linux is being used on this machine?

Q2. What is the MD5 hash of the apache access.log?

Q3. It is believed that a credential dumping tool was downloaded? What is the file name of the download?

We can go to the Downloads folder in order to check what file has been downloaded.

Q4. There was a super-secret file created. What is the absolute path?

There is a bash_history file in the root directory. It has all the commands that have been entered.

Q5. What program used didyouthinkwedmakeiteasy.jpg during execution?

Q6. What is the third goal from the checklist Karen created?

Q7. How many times was apache run?

Q8. It is believed this machine was used to attack another. What file proves this?

In the root directory there is a screenshot named irZLAohL.jpeg that shows the user running aylmao.exe. This executable generates malicious network traffic.

Q9. Within the Documents file path, it is believed that Karen was taunting a fellow computer expert through a bash script. Who was Karen taunting?

Fortunately Karen has documented her attack in the myfirsthack folder. Inside the firstscript_fixed file, we can see who she was taunting.

Q10. A user su'd to root at 11:26 multiple times. Who was it?

Q11. Based on the bash history, what is the current working directory?

If we go through the bash_history in a down-up manner, we can see the current working directory.

Last updated 1 year ago