I need help finding out what commands to use for the binary files and how to deobfuscate them to meet the criteria below. I also need a script for opendir$01-05$ that will go throught all of those $.$bins automatically.

Answer everything to the best of your ability. The JS code can be found by searching the md$5$ on any.run and clicking sample$01.$js

Lab Files

The malware samples are contained within password$-$protected zip archives with the password:

infected

Please ensure you are handling the malicious files appropriately. File hashes of the lab samples

are:

$$ MD$5($opendir$01.$bin$)=80$e$60949538$c$818$d$3$b$19$a$4$e$1$cc$97301$b

$$ MD$5($opendir$02.$bin$)=$ ac$35924$cdf$89$c$3$ddd$7$af$08$d$270$bb$46$b$0$

$$ MD$5($opendir$03.$bin$)=454$b$42$b$9$c$8920$c$573$ed$9710121$a$69$e$65$

$$ MD$5($opendir$04.$bin$)=$ f$9$e$9$a$956471688$aede$7$d$659$edf$1728$b$5$

$$ MD$5($opendir$05.$bin$)=$ e$8$a$5$e$08094$c$411$b$7$f$65$f$65$e$41$b$83$c$68$b

$$ MD$5($sample$01.$bin$)=$ e$0292$d$3$caa$37$a$338$bee$28$bd$280123$d$3$c

$$ MD$5($sample$01.$js$)=$ f$6$d$7$c$45$fc$0991$c$94$a$6723$aca$1$fe$07576$

Lab Instructions

Complete the following tasks in your analysis environment or using the IA lab. All work should

be original, discovered, and reported on by you. Do not rely upon a single source of information

$($i$.$e$.,$ an online sandbox$)$ to answer all questions.

JavaScript

This lab sample has some JavaScript for you to analyze; it is part of ransomware delivery, so be

cautious handling the file.

$1.$ The initial script, sample$01.$js is obfuscated. Deobfuscate the file and document$/$provide

evidence of the following:

a$.$ Show any IOCs that you were able to find, specifically URLs, domains, and

resources that are used to request the next stages.

b$.$ Describe the object$($s$)$ used to download the next stages.

c$.$ Provide a short overview of your approach to deobfuscating the JavaScript.

$2.$ Deobfuscate the binary data that is downloaded from the sample$01.$js script. The host

of the next stage is no longer accessible, so I have provided you with the file

sample$01.$bin.

$3.$ Identify the type of executable that the binary file is$.$

a$.$ Is the file a DLL$,$ SYS$,$ or EXE?

b$.$ How does the binary file get executed $$ provide the commands.

c$.$ What are the features of the malware? Provide evidence that shows the main

functionality of the sample.

Open Directory

The files provided here have been obfuscated to emulate what you might find in an open

directory that is used to host additional stages of malware. You must determine how the files

were obfuscated and write a tool to automate the deobfuscation process. Once unobfuscated,

all files will be valid PE binaries.

$1.$ Determine how the files were obfuscated. There is some combination of Base$64$

encoding, byte reversing, and XOR.

$2.$ Once you have the process down, write a script $($Bash or Python$)$:

a$.$ The script should successfully deobfuscate each of the binaries.

b$.$ Preserve the original binaries by outputting a new copy named: First$-$Original.

c$.$ When finished, print out: First Name, File Name, MD$5$ for each file.

d$.$ The script must be well documented. Add comments to explain what the

commands$/$switches are doing.

$3.$ Use malwoverview.py to submit each of the resulting files to VirusTotal.