Tasks

Gain Access using Trojans

njRAT RAT Trojan

Use the Windows 11 machine (10.10.1.11) as the attacker machine and the Windows Server 2022 machine (10.10.1.22) as the victim machine. Run the njRAT Trojan from the attacker machine and gain control over the victim machine. What is the default port used for njRAT?

5552

Use the Windows 11 machine (10.10.1.11) as the attacker machine and the Windows Server 2022 machine (10.10.1.22) as the victim machine. Enter the Host Name of the victim machine displayed in njRAT Remote Shell.

Server2022

Hide Trojan

SwayzCryptor

On the Windows 11 machine, create a Trojan server using njRAT. Use SwayzCryptor to encrypt the Trojan server file and check if encryption makes the file undetectable to antivirus programs (answer “Yes” if SwayzCryptor makes the Trojan undetectable or “No” otherwise).

Yes

Theef RAT Trojan

Use the Windows 11 machine (10.10.1.11) as the attacker machine and the Windows Server 2022 machine (10.10.1.22) as the victim machine. Create a Trojan server using the Theef RAT Trojan to control the victim machine remotely. Run the Theef server on the victim machine and the Theef client on the attacker machine. The Theef client and server files are available in the directory E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Trojans Types\Remote Access Trojans (RAT)\Theef on the attacker machine. What is the default port used in Theef?

6703

Infect the Target System using a Virus

JPS Virus Maker Tool

In the Windows 11 machine, create a virus using the JPS Virus Maker tool and infect the Windows Server 2019 machine. What is the default custom website used by JPS Virus Maker 4.0?

http://kernel32.irkernel32.ir

Static Malware Analysis

Malware Scanning

Analyze malware using online Hybrid Analysis services. What the name of the Analysis Environment that was selected in this task?

Windows 7 64 bit

Free Automated Malware Analysis Service - powered by Falcon Sandbox

Analyze malware using online Hybrid Analysis services. Enter the name of the malicious file that was uploaded for analysis in this lab.

tini.exe

Strings Search

BinText

Perform a string search on the file face.exe located at E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Viruses\Klez Virus Live! on the Windows 11 machine. What is the size of the text detected in the file?

4240 bytes

Identify Packaging and Obfuscation Methods

PEid

Analyze the file face.exe located at E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Viruses\Klez Virus Live! on the Windows 11 machine to identify packaging and obfuscation methods. What is the subsystem found in the PEiD analysis for Face.exe?

Win32 GUI

Analyze ELF Executable File

Detect It Easy (DIE)

Detect a file’s compiler, linker, packer, etc. using Detect It Easy (DIE). Enter the name of the operating system that was detected from the ELF file in this task.

Red Hat Linux

Find the Portable Executable Information

PE Explorer

Use PE Explorer to analyze the file face.exe located at E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Viruses\Klez Virus Live! on the Windows 11 machine. What is the address of the entry point for the file face.exe?

00408458h

Identify File Dependencies

Dependency Walker

Use the Dependency Walker tool to analyze the executable snoopy.exe located in the directory E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Viruses\Klez Virus Live! on the Windows 11 machine and identify the file dependencies of the executable file. Apart from KERNEL32.DLL, ADVAPI32.DLL, and WS2_32.DLL, what is the fourth DLL dependency?

MPR.DLL

Perform Malware Disassembly

On the Windows 11 machine, use the IDA tool to analyze the file face.exe located in the directory E:\CEH-Tools\CEHv12 Module 07 Malware Threats\Viruses\Klez Virus Live!. What is the first subroutine function identified by IDA?

sub_401000

Tools

IDA
OllyDbg

Ghidra

Use Ghidra to perform malware disassembly and find out the compiler ID of face.exe file.

windows

Dynamic Malware Analysis

Port Monitoring

Run njRAT from the attacker machine (Windows 11) and gain control over the victim machine (Windows Server 2022). On the Windows Server 2022 machine, use the TCPView tool to find the connections created by the Trojan. What is the remote port used by the Trojan server?

5552

Tools

TCPView
CurrPorts

Process Monitoring

Process Monitor

Run njRAT from the attacker machine (Windows 11) and gain control over the victim machine (Windows Server 2022). On the Windows Server 2022 machine, use Process Monitor to detect suspicious processes created by the Trojan server and identify the registry path of the Trojan executable. Flag submission is not required for this task, enter "No flag" as the answer.

No flag

Registry Monitoring

Reg Organizer

Use the registry monitoring tool Reg Organizer to scan the registry values for any changes. Flag submission is not required for this task, enter "No flag" as the answer.

No flag

Windows Services Monitoring

Windows Service Manager (SrvMan)

On the Windows 11 machine, use the Windows Service Manager (SrvMan) tool to check for suspicious windows services. Flag submission is not required for this task, enter "No flag" as the answer.

No flag

Startup Program Monitoring

Tools

Autoruns for Windows
WinPatrol

On the Windows 11 machine, use Autorun for the Windows and WinPatrol tools to monitor startup programs. Which tab in the WinPatrol tool shows all toolbars and links loaded in the system by IE or other Windows components?

IE Helpers

Installation Monitoring

Mirekusoft Install Monitor

On the Windows 11 machine, use the Mirekusoft Install Monitor tool to detect hidden and background installations. If a person uninstalls any application from the system but fails to delete it from the hard drive, will they be able to view the application in Mirekusoft Install Monitor? (Yes/No)

Files and Folder Monitoring

PA File Sight

Install PA File Sightâ€™s central monitoring service on the Windows 11 machine and configure it to monitor file integrity on the Windows Server 2022 remote machine. What is the default port used by the central monitoring service?

8000

Device Driver Monitoring

Tools

DriverView
Driver Reviver

On the Windows 11 machine, use the tools DriverView and Driver Reviver to monitor device drivers. Flag submission is not required for this task, enter "No flag" as the answer.

No flag

DNS Monitoring

DNSQuerySniffer

On the Windows 11 machine, use DNSQuerySniffer to monitor DNS queries to a DNS server. Flag submission is not required for this task, enter "No flag" as the answer.

No flag

Previous* * Malware Analysis NextSniffing

Last updated 8 months ago