Malware Analysis Basics

Not exactly sure how to answer question 2 of the Guided Exercise for the “Malware Analysis Basics” course. I tried the Hex values at the location, I tried converting values separated by null bytes into decimal values, etc. Any idea what is expected or how to arrive at the correct answer?

What is the first 8-digit value that appears in the assembly code for the killRDP function when examined in Ghidra’s Code Browser?

The question is asking for the memory address of the start of the killrbp function decompiled in Ghidra.

I have a problem looking for the first IP address in “Sample 1”, I have done all the procedures but I can’t see the sample in the list of each process. Can you help, I need badly help on this. Thank you

Hello I’m having an issue with a step in Malware Analysis Basics. I’m not sure if this step is flawed. “4. In the Process Monitor, click the red trash can icon to clear the Process Monitor, then immediately double-click the malicious sample1.exe file to detonate the malware.” I’ve attempted this step numerous times on the past 2 hours and I’m unable to locate. Is it a path I’m missing or is this step flawed?

Hey there - to clarify, that’s the malicious sample1.exe file on the Windows desktop. Are you launching that file from the desktop, or clicking on something within the Process Explorer to generate that error message?

image

I think it should just say sample1.exe, as this is the same file you have been working with the rest of the lab. I think “malicious” is just a description and should not be bold :slight_smile:

I found it thank you all. I miss read the location. I was looking in the tool for it. And not clicking and dragging on the file from “desktop” to the tool.

1 Like

Can you please let us know the first IP address that the sample1.exe malware attempted to connect to? I tried everything possible but not but unable to get the graph.

Can you please let us know the first IP address that the sample1.exe malware attempted to connect to? I tried everything possible but not but unable to get the graph.

Could you please provide a screenshot of what you’re seeing?

I am not getting this graph and hence unable answer the question which asks for the IP address. Please let me know if you know the answer.

I know the answer, but posting it here would defeat the purpose of the lab :wink:

I can confirm that this lab works as expected as long as you’re following all of the steps correctly. If you’re not seeing the graph, it means you’ve likely missed a step somewhere. Could you please provide screenshots at the following steps?

-Part 2, Step 8 [confirming successful malware detonation]
-Part 2, Step 17 [confirming successful refresh of procdot with correct log file and process selected in the Monitoring Logs and Render Configuration fields]

1 Like