TryHackMe – Advent of Cyber 3 – Day 20

Day 20 – What’s the Worst That Could Happen?

Today’s topic has to do with investigating viruses using commands and open source tools like VirusTotal.

Start the virtual machine for Day 20 using the green ‘Start Machine’ button. Wait for the VM to boot, and open a terminal using the shortcut at the top of the GUI.

Question 1

Open the terminal and navigate to the file on the desktop named ‘testfile’. Using the ‘strings’ command, check the strings in the file. There is only a single line of output to the ‘strings’ command. What is the output?

When you start the terminal, you will be in the home directory of the user ‘ubuntu’. We need to navigate to the Desktop directory, identify the file ‘testfile’, and then use the strings command to see what it can tell us about the file:

Using the strings command.

Answer:

(Highlight below to see answer):

X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Question 2

Check the file type of ‘testfile’ using the ‘file’ command. What is the file type?

Use the file command to determine what kind of file it is:

Using the file command.

Answer:

(Highlight below to see answer):

EICAR virus test files

Question 3

Calculate the file’s hash and search for it on VirusTotal. When was the file first seen in the wild?

In the last question, we found out that testfile is an EICAR test file. This is a type of ‘dummy’ computer virus that is used for testing anti-virus software.

We can find out more b using VirusTotal, but first we need to calculate the file’s hash. We can do this with the command md5sum:

Calculating the hash using md5sum.

Then, navigate to the ‘Search’ page on VirusTotal and search for this hash.

We find out when the file was first seen in the wild under the ‘Details’ tab:

First Seen in The Wild, under the 'Details' tab.

Answer:

(Highlight below to see answer):

2005-10-17 22:03:48

Question 4

On VirusTotal’s detection tab, what is the classification assigned to the file by Microsoft?

Navigate back to the ‘Detection’ tab, and look for the entry for ‘Microsoft’:

The Microsoft classification.

Answer:

(Highlight below to see answer):

Virus:DOS/EICAR_Test_File

Question 5

Go to this link to learn more about this file and what it is used for. What were the first two names of this file?

This information can be found at the top of the page:

Details of the anti malware testfile.

Answer:

(Highlight below to see answer):

ducklin.htm or ducklin-html.htm

Question 6

The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?

I found this by searching for the term’ total’:

Total file length not exceeding 128 characters.

Answer:

(Highlight below to see answer):

128