Skip to content

Analyzing and Reversing Malicious Code

Welcome to the workbook for the US Cyber Challenge Analyzing and Reversing Malicious code course. The goal of this course is to teach you some of the fundamentals of analyzing and reverse engineering malicious code.

Danger

This courses uses live malware. Do not under any circumstances run the specimens outside of your virtual machines.

Downloads

This course has one Windows 10 virtual machine that contains the exercise data (and several pre-installed tools.) There is an optional Ubuntu virtual machine, which can be used for sniffing network traffic.

The Optional VM

Due to the precarious nature of Ubuntu 24.04's networking, if you decide to use the optional virtual machine, please make sure to select "I moved it" and not "I copied it".

The link to download the primary virtual machine, the optional virtual machine, and extra (also optional) data files is given out in Discord.

The shared folder contains the following files:

  • USCC-ARMC2-Win10x64.7z: A 7-Zipped Windows 10 virtual machine. This is the main virtual machine. Everything else listed below is optional.
  • OPTIONAL--USCC-ARMC2-Ubuntu2404x64.7z: A 7-Zipped Ubuntu 24.04 virtual machine
  • OPTIONAL--lab-files.7z: An copy of pre-generated data files in case a lab goes awry.
  • OPTIONAL--lab-specimens.7z: A copy of the live malware fromm the Windows 10 virtual machine. The file is password protected with the password: infected

Danger

No joke, the malware contained in OPTIONAL--lab-specimens.7z is real. Be very careful with it.

Download the Windows 10 virtual machine, 7-unzip it to a directory of your choosing (on your hard disk), open it inside VMware, and start it up.

The additional files are not necessary for the labs, but are provided for your convenience.

Virtual Machine Configuration

The virtual machines are configured in host-only mode, with hard-coded IP addresses. The configuration of each machine is:

Windows 10

  • Username: armc
  • Password: malware
  • IP address: 10.10.10.30
  • Netmask: 255.255.255.0
  • Default gateway: 10.10.10.20

Optional Ubuntu 24.04

  • Username: armc
  • Password: malware
  • IP address: 10.10.10.20
  • Netmask: 255.255.255.0
  • Default gateway: none
  • DNS server: none

Different Settings

If you are going to use the optional Ubuntu virtual machine, make sure to select "I moved it". Do not select "I copied it". If you select the copy option, it will change the network settings (due to a newly generated MAC address.)

General Notes

Getting Root on the Optional VM

To get root access on the Ubuntu VM, use sudo su -, and then type the password (it's malware). For example:

armc@armc-ubuntu:~$ sudo su -
[sudo] password for armc:
root@armc-ubuntu:~# 

Displaying Files on Ubuntu

You can display files at the command prompt by using the cat and/or less commands. For example to display the messages file in /var/log:

cat /var/log/messages

Displays the messages file. If there is a lot of output, you can pipe it to the less command, to go through it one page at a time. Continuing with the messages file:

cat /var/log/messages | less

Tip

To exit less, press the Q key

Editing Files on Ubuntu

To edit files on your Ubuntu guest, you can use vi or gedit. To use gedit simply type gedit <filename> at the command prompt. For example to open the file /var/log/messages in gedit type:

gedit /var/log/messages