cybersecurity/HacktivityLabSheets
1
0
Fork 0
mirror of https://github.com/cliffe/HacktivityLabSheets.git synced 2026-02-21 11:18:09 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add Coconut Malware Analysis Lab Documentation

Browse Source 
- Introduced a new lab focused on the reverse engineering and analysis of the Coconut malware sample, providing hands-on experience with advanced malware analysis techniques.
- Included sections on packer identification, network analysis, backdoor detection, and YARA rule creation, along with interactive challenges facilitated by Hackerbot.
- Enhanced documentation with detailed descriptions, tags, and structured content to improve accessibility and user engagement.
This commit is contained in:
Z. Cliffe Schreuders
2025-10-01 12:12:18 +01:00
parent 14204b6ade
commit c1ceedd8c1
1 changed files with 145 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

145
_labs/software_and_malware_analysis/11_coconut.md Normal file
View File

@@ -0,0 +1,145 @@
---
title: "Malware Behaviour - Reverse Engineering and Analysis of the Coconut Malware Sample"
author: ["Z. Cliffe Schreuders"]
license: "CC BY-SA 4.0"
description: "Advanced malware analysis lab using Hackerbot to analyze the Coconut malware sample, including packer identification, network analysis, backdoor detection, and YARA rule creation."
overview: |
This lab provides hands-on experience with advanced malware analysis techniques using the Coconut malware sample. You will work with Hackerbot, an interactive chatbot that guides you through a series of practical challenges and quiz questions about the malware sample. The lab covers packer identification, network analysis, backdoor detection, file exfiltration, and YARA rule creation.
The victim_server has been infected with a malware sample, and your desktop analysis machine has a copy of the binary sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system.
tags: ["malware-analysis", "reverse-engineering", "hackerbot", "coconut", "backdoor", "yara", "network-analysis", "ctf"]
categories: ["software_and_malware_analysis"]
type: ["ctf-lab", "lab-sheet"]
difficulty: "intermediate"
cybok:
- ka: "MAT"
topic: "Malware Analysis"
keywords: ["analysis techniques", "analysis environments", "malware behavior"]
---
## Getting Started {#getting-started}
### VMs in This Lab {#vms-in-this-lab}
==VM: Start these VMs== (if you haven't already):
- **hackerbot_server** (leave it running, you don't log into this)
- **desktop**
- **victim_server**
### Your Login Details for the "Desktop" VM {#your-login-details-for-the-desktop-vm}
> Note: Password: `tiaspbiqe2r` (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)
> Note: You won't login to the hackerbot_server, but the VM needs to be running to complete the lab.
## Meet Hackerbot! {#meet-hackerbot}
This exercise involves Hackerbot, a chatbot who will interact with you and your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you.
**On the desktop VM:**
==action: Open Pidgin and send some messages to Hackerbot:==
- Try asking Hackerbot some questions
- Send "help"
- Send "list"
- Send "hello"
## Introduction {#introdution}
The victim_server has been infected with a malware sample. Your desktop analysis machine has a copy of the binary sample which is running on the victim_server at the path: `/home/==edit: main_user==/malware/coconut`.
This task involves analysing the coconut malware sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system (victim_server).
## Advanced Analysis Techniques {#advanced-analysis-techniques}
Before attempting the Hackerbot challenges, you'll need to understand several advanced techniques used in malware analysis.
### YARA Rule Creation {#yara-rule-creation}
YARA (Yet Another Recursive Acronym) is a powerful pattern-matching tool used to identify and classify malware samples. YARA rules are written in a simple, yet expressive language that allows analysts to create signatures for malware detection.
#### Key YARA Concepts:
- **Rules**: Contain metadata and conditions for pattern matching
- **Strings**: Define patterns to search for in files
- **Conditions**: Specify when a rule should trigger
- **False Positives**: Rules that incorrectly match legitimate files
#### Basic YARA Rule Structure:
```yaml
rule RuleName {
meta:
description = "Description of what the rule detects"
author = "Your name"
date = "2024-01-01"
strings:
$string1 = "malicious_pattern" ascii
$string2 = { 48 65 6C 6C 6F } // hex pattern
condition:
any of them
}
```
> Tip: Effective YARA rules should be specific enough to catch the target malware while avoiding false positives on legitimate system files.
### Advanced Malware Behavior Analysis {#advanced-malware-behavior-analysis}
The Coconut malware sample demonstrates sophisticated attack techniques that require comprehensive analysis skills:
#### Analysis Techniques Covered:
- **Packer Identification** - Detecting packers
- **Network Behavior Analysis** - Identifying open ports and communication
- **Backdoor Detection** - Finding hidden access mechanisms
- **Function Analysis** - Understanding malware capabilities
- **Data Exfiltration** - Extracting files from infected systems
#### Multi-Vector Attack Analysis:
The Coconut malware uses multiple attack vectors:
- **HTTP backdoors** - Web-based remote access
- **ICMP shells** - Covert communication channels
- **Bind shells** - Direct network access
- **Session management** - Timeout and authentication features
> Warning: This lab involves analyzing real malware. Ensure you're working in the provided isolated environment.
### File Exfiltration and Data Recovery {#file-exfiltration-and-data-recovery}
One of the key objectives in malware analysis is understanding what data attackers can access and extract:
#### Exfiltration Techniques:
- **Backdoor access** - Using malware's own mechanisms
- **File transfer** - Moving data from infected systems
- **Integrity verification** - Ensuring complete data transfer
- **Steganography detection** - Finding hidden data
#### Analysis Objectives:
- Identify accessible files on the infected system
- Use backdoor mechanisms to extract data
- Verify file integrity using checksums
- Understand attacker capabilities and objectives
### Interactive Analysis with Hackerbot {#interactive-analysis-with-hackerbot}
Hackerbot is a chatbot designed to guide you through the challenges. Unlike traditional labs, Hackerbot provides:
#### Key Features:
- **Interactive guidance** - Step-by-step analysis assistance
- **Real-time feedback** - Immediate validation of your analysis
- **Progressive challenges** - Increasingly complex analysis tasks
- **Flag rewards** - Immediate recognition of successful completion
#### Communication Commands:
- `help` - Get assistance with available commands
- `list` - View available challenges
- `ready` - Indicate you're ready for the next challenge
- `answer X` - Submit your answer to a quiz question
> Note: Hackerbot will guide you through packer identification, network analysis, backdoor detection, and YARA rule creation for the Coconut malware sample.
## Hackerbot Challenges {#hackerbot-challenges}
> Flag: Interact with Hackerbot, and complete the tasks. Submit the flags into Hacktivity.