Note:

Hey! Before you go through this writeup try the task first by your self and if you get stuck come back and checkout the writeup.

Todays challenge is about evading Sandboxes.

For those who are unaware - Sandboxing is a security method that creates a controlled environment to run untrusted or potentially harmful code without risking the main system. It isolates the program or process, ensuring it can’t access sensitive data or make changes outside the sandbox. This technique is widely used for testing software, analysing malware, and enhancing browser security. By containing threats in a virtual space, sandboxing helps prevent malware infections, unauthorised access, and system compromises, making it a crucial layer of defense.

Yara rules are patterns or signatures used to identify malware, suspicious files, or behaviors based on textual or binary characteristics. These rules can also be applied to detect sandbox evasion techniques, where malware tries to avoid detection by altering its behavior in virtual or isolated environments. By creating rules that look for traits specific to sandbox evasion, such as delays, system checks (e.g., CPU cores or virtualisation flags), or unusual API calls, analysts can identify and mitigate threats that attempt to bypass traditional analysis environments.

Q: What is the flag displayed in the popup window after the EDR detects the malware?

A: Open a PowerShell and navigate to C:\\Tools directory with the following command.

cd C:\\Tools

Run the EDR tool that has been set up with Yara rules for detection Sandbox evasion.

.\\JingleBells.ps1

Open a file explore and navigate to C:\\Tools\\Malware and run MerryCharistmas.exe

The pop up will contain the Flag.

Q: What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?

A: In the PowerShell navigate to C:\\Tools\\FLOSS and run,

floss.exe C:\\Tools\\Malware\\MerryChristmas.exe |Out-file C:\\tools\\malstrings.txt

In the file explore navigate to C:\\Tools and find the malstrings.txt file and open it.

Search for THM{ and the flag should be there.