Malware Analysis Basics

SmoggyFalcon6341 · August 28, 2024, 6:52am

Not exactly sure how to answer question 2 of the Guided Exercise for the “Malware Analysis Basics” course. I tried the Hex values at the location, I tried converting values separated by null bytes into decimal values, etc. Any idea what is expected or how to arrive at the correct answer?

What is the first 8-digit value that appears in the assembly code for the killRDP function when examined in Ghidra’s Code Browser?

JosephWhite · August 28, 2024, 1:53pm

The question is asking for the memory address of the start of the killrbp function decompiled in Ghidra.

AutomaticBird3902 · November 3, 2024, 9:55am

I have a problem looking for the first IP address in “Sample 1”, I have done all the procedures but I can’t see the sample in the list of each process. Can you help, I need badly help on this. Thank you

JosephWhite · November 3, 2024, 5:33pm

Disgurlizfly39867 · December 13, 2024, 12:03am

Hello I’m having an issue with a step in Malware Analysis Basics. I’m not sure if this step is flawed. “4. In the Process Monitor, click the red trash can icon to clear the Process Monitor, then immediately double-click the malicious sample1.exe file to detonate the malware.” I’ve attempted this step numerous times on the past 2 hours and I’m unable to locate. Is it a path I’m missing or is this step flawed?

CalmQuail2332 · December 13, 2024, 3:28am

Hey there - to clarify, that’s the malicious sample1.exe file on the Windows desktop. Are you launching that file from the desktop, or clicking on something within the Process Explorer to generate that error message?

JosephWhite · December 13, 2024, 4:53am

I think it should just say sample1.exe, as this is the same file you have been working with the rest of the lab. I think “malicious” is just a description and should not be bold

Disgurlizfly39867 · December 15, 2024, 11:39pm

I found it thank you all. I miss read the location. I was looking in the tool for it. And not clicking and dragging on the file from “desktop” to the tool.

MixedKrill2604 · July 6, 2025, 4:00pm

Can you please let us know the first IP address that the sample1.exe malware attempted to connect to? I tried everything possible but not but unable to get the graph.

MixedKrill2604 · July 6, 2025, 4:01pm

Can you please let us know the first IP address that the sample1.exe malware attempted to connect to? I tried everything possible but not but unable to get the graph.

CalmQuail2332 · July 7, 2025, 3:51pm

Could you please provide a screenshot of what you’re seeing?

MixedKrill2604 · July 10, 2025, 12:54pm

I am not getting this graph and hence unable answer the question which asks for the IP address. Please let me know if you know the answer.

CalmQuail2332 · July 10, 2025, 1:49pm

I know the answer, but posting it here would defeat the purpose of the lab

I can confirm that this lab works as expected as long as you’re following all of the steps correctly. If you’re not seeing the graph, it means you’ve likely missed a step somewhere. Could you please provide screenshots at the following steps?

-Part 2, Step 8 [confirming successful malware detonation]
-Part 2, Step 17 [confirming successful refresh of procdot with correct log file and process selected in the Monitoring Logs and Render Configuration fields]