From c1ceedd8c1e2cf783cf8ba0423ac7426f6289b8d Mon Sep 17 00:00:00 2001 From: "Z. Cliffe Schreuders" Date: Wed, 1 Oct 2025 12:12:18 +0100 Subject: [PATCH] Add Coconut Malware Analysis Lab Documentation - Introduced a new lab focused on the reverse engineering and analysis of the Coconut malware sample, providing hands-on experience with advanced malware analysis techniques. - Included sections on packer identification, network analysis, backdoor detection, and YARA rule creation, along with interactive challenges facilitated by Hackerbot. - Enhanced documentation with detailed descriptions, tags, and structured content to improve accessibility and user engagement. --- .../11_coconut.md | 145 ++++++++++++++++++ 1 file changed, 145 insertions(+) create mode 100644 _labs/software_and_malware_analysis/11_coconut.md diff --git a/_labs/software_and_malware_analysis/11_coconut.md b/_labs/software_and_malware_analysis/11_coconut.md new file mode 100644 index 0000000..021dc88 --- /dev/null +++ b/_labs/software_and_malware_analysis/11_coconut.md @@ -0,0 +1,145 @@ +--- +title: "Malware Behaviour - Reverse Engineering and Analysis of the Coconut Malware Sample" +author: ["Z. Cliffe Schreuders"] +license: "CC BY-SA 4.0" +description: "Advanced malware analysis lab using Hackerbot to analyze the Coconut malware sample, including packer identification, network analysis, backdoor detection, and YARA rule creation." +overview: | + This lab provides hands-on experience with advanced malware analysis techniques using the Coconut malware sample. You will work with Hackerbot, an interactive chatbot that guides you through a series of practical challenges and quiz questions about the malware sample. The lab covers packer identification, network analysis, backdoor detection, file exfiltration, and YARA rule creation. + + The victim_server has been infected with a malware sample, and your desktop analysis machine has a copy of the binary sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system. +tags: ["malware-analysis", "reverse-engineering", "hackerbot", "coconut", "backdoor", "yara", "network-analysis", "ctf"] +categories: ["software_and_malware_analysis"] +type: ["ctf-lab", "lab-sheet"] +difficulty: "intermediate" +cybok: + - ka: "MAT" + topic: "Malware Analysis" + keywords: ["analysis techniques", "analysis environments", "malware behavior"] +--- + +## Getting Started {#getting-started} +### VMs in This Lab {#vms-in-this-lab} + +==VM: Start these VMs== (if you haven't already): +- **hackerbot_server** (leave it running, you don't log into this) +- **desktop** +- **victim_server** + +### Your Login Details for the "Desktop" VM {#your-login-details-for-the-desktop-vm} + +> Note: Password: `tiaspbiqe2r` (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember) + +> Note: You won't login to the hackerbot_server, but the VM needs to be running to complete the lab. + +## Meet Hackerbot! {#meet-hackerbot} + +This exercise involves Hackerbot, a chatbot who will interact with you and your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you. + +**On the desktop VM:** + +==action: Open Pidgin and send some messages to Hackerbot:== + +- Try asking Hackerbot some questions +- Send "help" +- Send "list" +- Send "hello" + + +## Introduction {#introdution} + +The victim_server has been infected with a malware sample. Your desktop analysis machine has a copy of the binary sample which is running on the victim_server at the path: `/home/==edit: main_user==/malware/coconut`. + +This task involves analysing the coconut malware sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system (victim_server). + +## Advanced Analysis Techniques {#advanced-analysis-techniques} + +Before attempting the Hackerbot challenges, you'll need to understand several advanced techniques used in malware analysis. + +### YARA Rule Creation {#yara-rule-creation} + +YARA (Yet Another Recursive Acronym) is a powerful pattern-matching tool used to identify and classify malware samples. YARA rules are written in a simple, yet expressive language that allows analysts to create signatures for malware detection. + +#### Key YARA Concepts: +- **Rules**: Contain metadata and conditions for pattern matching +- **Strings**: Define patterns to search for in files +- **Conditions**: Specify when a rule should trigger +- **False Positives**: Rules that incorrectly match legitimate files + +#### Basic YARA Rule Structure: +```yaml +rule RuleName { + meta: + description = "Description of what the rule detects" + author = "Your name" + date = "2024-01-01" + + strings: + $string1 = "malicious_pattern" ascii + $string2 = { 48 65 6C 6C 6F } // hex pattern + + condition: + any of them +} +``` + +> Tip: Effective YARA rules should be specific enough to catch the target malware while avoiding false positives on legitimate system files. + +### Advanced Malware Behavior Analysis {#advanced-malware-behavior-analysis} + +The Coconut malware sample demonstrates sophisticated attack techniques that require comprehensive analysis skills: + +#### Analysis Techniques Covered: +- **Packer Identification** - Detecting packers +- **Network Behavior Analysis** - Identifying open ports and communication +- **Backdoor Detection** - Finding hidden access mechanisms +- **Function Analysis** - Understanding malware capabilities +- **Data Exfiltration** - Extracting files from infected systems + +#### Multi-Vector Attack Analysis: +The Coconut malware uses multiple attack vectors: +- **HTTP backdoors** - Web-based remote access +- **ICMP shells** - Covert communication channels +- **Bind shells** - Direct network access +- **Session management** - Timeout and authentication features + +> Warning: This lab involves analyzing real malware. Ensure you're working in the provided isolated environment. + +### File Exfiltration and Data Recovery {#file-exfiltration-and-data-recovery} + +One of the key objectives in malware analysis is understanding what data attackers can access and extract: + +#### Exfiltration Techniques: +- **Backdoor access** - Using malware's own mechanisms +- **File transfer** - Moving data from infected systems +- **Integrity verification** - Ensuring complete data transfer +- **Steganography detection** - Finding hidden data + +#### Analysis Objectives: +- Identify accessible files on the infected system +- Use backdoor mechanisms to extract data +- Verify file integrity using checksums +- Understand attacker capabilities and objectives + +### Interactive Analysis with Hackerbot {#interactive-analysis-with-hackerbot} + +Hackerbot is a chatbot designed to guide you through the challenges. Unlike traditional labs, Hackerbot provides: + +#### Key Features: +- **Interactive guidance** - Step-by-step analysis assistance +- **Real-time feedback** - Immediate validation of your analysis +- **Progressive challenges** - Increasingly complex analysis tasks +- **Flag rewards** - Immediate recognition of successful completion + +#### Communication Commands: +- `help` - Get assistance with available commands +- `list` - View available challenges +- `ready` - Indicate you're ready for the next challenge +- `answer X` - Submit your answer to a quiz question + +> Note: Hackerbot will guide you through packer identification, network analysis, backdoor detection, and YARA rule creation for the Coconut malware sample. + + +## Hackerbot Challenges {#hackerbot-challenges} + +> Flag: Interact with Hackerbot, and complete the tasks. Submit the flags into Hacktivity. +