Malware Behaviour - Reverse Engineering and Analysis of the Coconut Malware Sample

Advanced malware analysis lab using Hackerbot to analyze the Coconut malware sample, including packer identification, network analysis, backdoor detection, and YARA rule creation.

Lab Overview

This lab provides hands-on experience with advanced malware analysis techniques using the Coconut malware sample. You will work with Hackerbot, an interactive chatbot that guides you through a series of practical challenges and quiz questions about the malware sample. The lab covers packer identification, network analysis, backdoor detection, file exfiltration, and YARA rule creation.

The victim_server has been infected with a malware sample, and your desktop analysis machine has a copy of the binary sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system.

Authors: Tom Shaw, Mo Hassan, and Z. Cliffe Schreuders

License: CC BY-SA 4.0

Difficulty: intermediate

CyBOK Knowledge Areas: MAT: Malware Analysis analysis techniques analysis environments malware behavior

Tags: malware-analysis reverse-engineering hackerbot coconut backdoor yara network-analysis ctf

Getting Started

VMs in This Lab

==VM: Start these VMs== (if you haven’t already):

hackerbot_server (leave it running, you don’t log into this)
desktop
victim_server

Note: Password: tiaspbiqe2r (this is a secure password but is quite easy 2 remember)

Note: You won’t login to the hackerbot_server, but the VM needs to be running to complete the lab.

Meet Hackerbot!

This exercise involves Hackerbot, a chatbot who will interact with you and your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you.

On the desktop VM:

==action: Open Pidgin and send some messages to Hackerbot:==

Try asking Hackerbot some questions
Send “help”
Send “list”
Send “hello”

Introduction

The victim_server has been infected with a malware sample. Your desktop analysis machine has a copy of the binary sample which is running on the victim_server at the path: /home/==edit: main_user==/malware/coconut.

This task involves analysing the coconut malware sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system (victim_server).

Advanced Analysis Techniques

Before attempting the Hackerbot challenges, you’ll need to understand several advanced techniques used in malware analysis.

YARA Rule Creation

YARA (Yet Another Recursive Acronym) is a powerful pattern-matching tool used to identify and classify malware samples. YARA rules are written in a simple, yet expressive language that allows analysts to create signatures for malware detection.

Key YARA Concepts:

Rules: Contain metadata and conditions for pattern matching
Strings: Define patterns to search for in files
Conditions: Specify when a rule should trigger
False Positives: Rules that incorrectly match legitimate files

Basic YARA Rule Structure:

rule RuleName {
    meta:
        description = "Description of what the rule detects"
        author = "Your name"
        date = "2024-01-01"
    
    strings:
        $string1 = "malicious_pattern" ascii
        $string2 = { 48 65 6C 6C 6F } // hex pattern
    
    condition:
        any of them
}

Tip: Effective YARA rules should be specific enough to catch the target malware while avoiding false positives on legitimate system files.

Advanced Malware Behavior Analysis

The Coconut malware sample demonstrates sophisticated attack techniques that require comprehensive analysis skills:

Analysis Techniques Covered:

Packer Identification - Detecting packers
Network Behavior Analysis - Identifying open ports and communication
Backdoor Detection - Finding hidden access mechanisms
Function Analysis - Understanding malware capabilities
Data Exfiltration - Extracting files from infected systems

Multi-Vector Attack Analysis:

The Coconut malware uses multiple attack vectors:

HTTP backdoors - Web-based remote access
ICMP shells - Covert communication channels
Bind shells - Direct network access
Session management - Timeout and authentication features

Warning: This lab involves analyzing real malware. Ensure you’re working in the provided isolated environment.

File Exfiltration and Data Recovery

One of the key objectives in malware analysis is understanding what data attackers can access and extract:

Exfiltration Techniques:

Backdoor access - Using malware’s own mechanisms
File transfer - Moving data from infected systems
Integrity verification - Ensuring complete data transfer
Steganography detection - Finding hidden data

Analysis Objectives:

Identify accessible files on the infected system
Use backdoor mechanisms to extract data
Verify file integrity using checksums
Understand attacker capabilities and objectives

Interactive Analysis with Hackerbot

Hackerbot is a chatbot designed to guide you through the challenges. Unlike traditional labs, Hackerbot provides:

Key Features:

Interactive guidance - Step-by-step analysis assistance
Real-time feedback - Immediate validation of your analysis
Progressive challenges - Increasingly complex analysis tasks
Flag rewards - Immediate recognition of successful completion

Communication Commands:

help - Get assistance with available commands
list - View available challenges
ready - Indicate you’re ready for the next challenge
answer X - Submit your answer to a quiz question

Note: Hackerbot will guide you through packer identification, network analysis, backdoor detection, and YARA rule creation for the Coconut malware sample.

Hackerbot Challenges

Flag: Interact with Hackerbot, and complete the tasks. Submit the flags into Hacktivity.