Analyzing and Reversing Malicious Code
Welcome to the workbook for the US Cyber Challenge Analyzing and Reversing Malicious code course. The goal of this course is to teach you some of the fundamentals of analyzing and reverse engineering malicious code.
Danger
This courses uses live malware. Do not under any circumstances run the specimens outside of your virtual machines.
Downloads
This course has one Windows 10 virtual machine that contains the exercise data (and several pre-installed tools.) There is an optional Ubuntu virtual machine, which can be used for sniffing network traffic.
The Optional VM
Due to the precarious nature of Ubuntu 24.04's networking, if you decide to use the optional virtual machine, please make sure to select "I moved it" and not "I copied it".
The link to download the primary virtual machine, the optional virtual machine, and extra (also optional) data files is given out in Discord.
The shared folder contains the following files:
USCC-ARMC2-Win10x64.7z
: A 7-Zipped Windows 10 virtual machine. This is the main virtual machine. Everything else listed below is optional.OPTIONAL--USCC-ARMC2-Ubuntu2404x64.7z
: A 7-Zipped Ubuntu 24.04 virtual machineOPTIONAL--lab-files.7z
: An copy of pre-generated data files in case a lab goes awry.OPTIONAL--lab-specimens.7z
: A copy of the live malware fromm the Windows 10 virtual machine. The file is password protected with the password:infected
Danger
No joke, the malware contained in OPTIONAL--lab-specimens.7z
is real. Be very careful with it.
Download the Windows 10 virtual machine, 7-unzip it to a directory of your choosing (on your hard disk), open it inside VMware, and start it up.
The additional files are not necessary for the labs, but are provided for your convenience.
Virtual Machine Configuration
The virtual machines are configured in host-only
mode, with hard-coded IP
addresses. The configuration of each machine is:
Windows 10
- Username:
armc
- Password:
malware
- IP address:
10.10.10.30
- Netmask:
255.255.255.0
- Default gateway:
10.10.10.20
Optional Ubuntu 24.04
- Username:
armc
- Password:
malware
- IP address:
10.10.10.20
- Netmask:
255.255.255.0
- Default gateway:
none
- DNS server:
none
Different Settings
If you are going to use the optional Ubuntu virtual machine, make sure to select "I moved it". Do not select "I copied it". If you select the copy option, it will change the network settings (due to a newly generated MAC address.)
General Notes
Getting Root on the Optional VM
To get root access on the Ubuntu VM, use sudo su -
, and then type the
password (it's malware
). For example:
armc@armc-ubuntu:~$ sudo su -
[sudo] password for armc:
root@armc-ubuntu:~#
Displaying Files on Ubuntu
You can display files at the command prompt by using the cat
and/or less
commands. For example to display the messages file in /var/log:
cat /var/log/messages
Displays the messages file. If there is a lot of output, you can pipe it to the
less
command, to go through it one page at a time. Continuing with the
messages file:
cat /var/log/messages | less
Tip
To exit less, press the Q key
Editing Files on Ubuntu
To edit files on your Ubuntu guest, you can use vi
or gedit
. To use gedit
simply type gedit <filename>
at the command prompt. For example to open the
file /var/log/messages in gedit
type:
gedit /var/log/messages