release v1.0

.gitignore

@@ -0,0 +1,3 @@
+.idea/*
+.vs/*
+.vs/

EULA.md

@@ -0,0 +1,51 @@
+END-USER LICENSE AGREEMENT FOR “Practical Malware Analysis & Triage Labs”. 
+
+IMPORTANT: PLEASE READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE CONTINUING WITH THIS PROGRAM EXTRACTION: “Practical Malware Analysis & Triage Labs” End-User License Agreement ("EULA") is a legal agreement between You and the Copyright holders of the Course "Practical Malware Analysis & Triage" for the software product(s) “Practical Malware Analysis & Triage Labs” (referred to herein as "SOFTWARE PRODUCT") which may include associated software components, media, and "online" or electronic documentation. By installing or otherwise using the SOFTWARE PRODUCT, You agree to be bound by the terms of this EULA, which represents the entire agreement concerning the program between You (also referred to as "End-User") and the Copyright holders of the course “Practical Malware Analysis & Triage (PMAT”), (referred to herein as "Licensor"). Download, extraction, installation, or use of the SOFTWARE PRODUCT constitutes acceptance of these terms and/or agreement that they are binding on You. Licensor reserves all rights not expressly granted to You.
+
+The SOFTWARE PRODUCT is protected by copyright laws and international copyright treaties, as well as other intellectual property laws and treaties. The SOFTWARE PRODUCT is licensed, not sold.  This license granted to You for the SOFTWARE PRODUCT by Licensor is limited to a non-transferable license to use the SOFTWARE PRODUCT on any computer that You own or control.  This license does not allow You to use the SOFTWARE PRODUCT on any computer that You do not own or control, and You may not distribute or make the SOFTWARE PRODUCT available over a network where it could be used by multiple computers at the same time. You may not rent, lease, lend, sell, redistribute or sublicense the SOFTWARE PRODUCT. You may not copy (except as expressly permitted by this EULA), modify, or create derivative works of the SOFTWARE PRODUCT.
+
+1. WARNING: 
+(a) Dangerous Malicious Code - 
+The SOFTWARE PRODUCT contains dangerous malicious computer code that will cause damage to Your or others computers and/or networks if not used properly.  Licensor is not responsible for the misuse or accidental misuse of this SOFTWARE PRODUCT and the End-User accepts all responsibility for any damage incurred by the End-User.
+(b) Safe Environment - 
+The SOFTWARE PRODUCT should not be run without a safe environment that can easily be restored to a prior state, such as a virtual machine.  The End-User agrees that in no case shall the SOFTWARE PRODUCT be used by the End-User on production systems or systems that contain sensitive or valuable information.
+(c) Prohibition on Connecting this Software to the Internet - 
+The End-User agrees that the SOFTWARE PRODUCT will not be used on systems connected to the Internet due to the risks posed to the machine running the SOFTWARE PRODUCT as well as the risks posed to the greater Internet.
+
+2. GRANT OF LICENSE: 
+(a) Installation and Use - 
+Licensor grants You the right to install and use copies of the SOFTWARE PRODUCT on Your computer running a validly licensed copy of the operating system for which the SOFTWARE PRODUCT was designed [e.g., Windows 95, Windows NT, Windows 98, Windows 2000, Windows 2003, Windows XP, Windows ME, Windows Vista, Windows 7, Windows 10].
+
+3. DESCRIPTION OF OTHER RIGHTS AND LIMITATIONS: 
+(a) Maintenance of Copyright Notices - 
+The End-User agrees to not remove or alter any copyright notices on any and all copies of the SOFTWARE PRODUCT.
+(b) Distribution - 
+The End-User agrees to not redistribute copies of the SOFTWARE PRODUCT to third parties.
+(c) Support Services - 
+Licensor does not provide any support services related to the SOFTWARE PRODUCT. 
+(d) Compliance with Applicable Laws - 
+The End-User agrees to comply with all applicable federal, state, local, local country, and international agreements/treaties/laws regarding use of the SOFTWARE PRODUCT.
+(e) Prohibited Educational Uses - 
+Use of the SOFTWARE PRODUCT for instructor-led training is prohibited without expressed written consent from Licensor.  
+(f) Modification - 
+Modifications must not be made to the SOFTWARE PRODUCT.  By downloading, extracting, and installing the SOFTWARE PRODUCT, the end-user agrees that they will not modify the SOFTWARE PRODUCT.   
+(g) Educational Purposes Only - 
+The SOFTWARE PRODUCT is meant for use with learning in conjunction with the “Practical Malware Analysis and Triage (PMAT)” course for educational purposes only.  The End-User agrees to use the SOFTWARE PRODUCT for educational purposes only.
+
+4. TERMINATION: 
+The EULA is effective until terminated by You or Licensor. Your rights under this license will terminate automatically without notice from Licensor if You fail to comply with any term(s) of this EULA. Upon termination of the license, You shall cease all use of the SOFTWARE PRODUCT, and destroy all copies, full or partial, of the SOFTWARE PRODUCT.
+
+5. INTELLECTUAL PROPERTY: 
+You agree that the SOFTWARE PRODUCT contains proprietary content, information and material that is protected by applicable intellectual property and other laws, including but not limited to copyright, and that You will not use such proprietary content, information or materials in any way whatsoever except for permitted use of the SOFTWARE PRODUCT. This EULA grants You no intellectual property rights. 
+
+6. NO WARRANTIES: 
+To the extent not prohibited by law, Licensor expressly disclaims any warranty for the SOFTWARE PRODUCT. The SOFTWARE PRODUCT is provided 'As Is' without any express or implied warranty of any kind, including but not limited to any warranties of merchantability, non-infringement, or fitness of a particular purpose. Licensor does not warrant or assume responsibility for the accuracy or completeness of any information, text, graphics, links or other items contained within the SOFTWARE PRODUCT. Licensor makes no warranties respecting any harm that may be caused by the transmission of a computer virus, worm, time bomb, logic bomb, or other such computer program. Licensor further expressly disclaims any warranty or representation to Authorized Users or to any third party.
+
+7. LIMITATION OF LIABILITY: 
+In no event shall Licensor be liable for any damages (including, without limitation, lost profits, business interruption, or lost information) rising out of Your use of or inability to use the SOFTWARE PRODUCT, even if Licensor has been advised of the possibility of such damages. In no event will Licensor be liable for loss of data or for indirect, special, incidental, consequential (including lost profit), or other damages based in contract, tort or otherwise. Licensor shall have no liability with respect to the content of the SOFTWARE PRODUCT or any part thereof, including but not limited to errors or omissions contained therein, libel, infringements of rights of publicity, privacy, trademark rights, business interruption, personal injury, loss of privacy, moral rights or the disclosure of confidential information. 
+
+8. APPLICABLE LAW: 
+(a) United States - 
+If You acquired the software in the United States, New York state law governs the interpretation of this agreement and applies to claims for breach of it, regardless of conflict of laws principles. 
+(b) Outside the United States - 
+If You acquired the software in any other country, the laws of that country apply.

README.md

@@ -1 +1,162 @@
-# PMAT-labs
+
+<p align="center">
+  <img src="https://user-images.githubusercontent.com/57866415/135939695-6f2c2ce7-403b-4aab-977f-561d17be73ce.png" />
+</p>
+
+<div align="center">
+
+# PMAT-labs 🔬
+Welcome to the labs for Practical Malware Analysis &amp; Triage.
+
+---
+
+[![Release Version][img-version-badge]][release] [![Course Link][course]][course-link] [![EULA][img-license-badge]][eula]
+
+---
+
+## 🔴 WARNING 🔴
+</div>
+
+Read this carefully before proceeding.
+
+This repository contains live malware samples for use in the Practical Malware Analysis & Triage course (PMAT). These samples are either written to emulate common malware characteristics or are live, real world, "caught in the wild" samples. Both categories are dangerous. These samples are to be handled with extreme caution at all times.
+
+- Do not download these samples to a computer you do not own.
+- Do not execute any of these samples on a computer you do not own.
+- Do not download and/or execute these samples in an environment that you cannot revert to a saved state, i.e. a virtual machine.
+- Practice safe malware handling procedures at all times when using these samples.
+
+By downloading the contents of this repository, regardless of if you have purchased the course or not, you are agreeing to the End User License Agreement. Please refer to `EULA.md` for more information.
+
+---
+
+## 🧭 Structure 🗺️
+
+The structure of this repository maps to the course videos. The top directory contains the name of the section, and the subdirectories are the samples in use during that part of the course. For example:
+```
+📦labs
+ ┣ 📂0-1.HandlingAndSafety
+ ┃ ┣ 📜Malware.Calc.exe.7z
+ ┃ ┣ 📜md5sum.txt
+ ┃ ┣ 📜password.txt
+ ┃ ┗ 📜sha256sum.txt
+ ┣ 📂1-1.BasicStaticAnalysis
+ ┃ ┣ 📂Malware.PackedAndNotPacked.exe.malz
+ ┃ ┃ ┣ 📜Malware.PackedAndNotPacked.exe.zip
+ ┃ ┃ ┣ 📜md5sum.txt
+ ┃ ┃ ┣ 📜password.txt
+ ┃ ┃ ┗ 📜sha256sum.txt
+ ┃ ┣ 📂Malware.Unknown.exe.malz
+ ┃ ┃ ┣ 📜Malware.Unknown.exe.7z
+ ┃ ┃ ┣ 📜README.txt
+ ┃ ┃ ┗ 📜password.txt
+...[snip]...
+```
+
+In the example above, the `0-1.HandlingAndSafety` directory contains a zipped copy of `Malware.Calc.exe.7z` and the other files that sample is provided with. It is used in the `Handling and Safety` section in the course. 
+
+Underneath the Handling and Safety sample, the `1-1.BasicStaticAnalysis` directory contains two samples that are used in that section. The whole course follows this structure, so check to see which section you're currently in and then the videos will reference the sample to work on.
+
+---
+
+## Topics 📚
+
+Each section is broken down by topic:
+
+### 0. Malware Handling and Safety
+
+This section covers basic malware handing and safety, includiong defanging malware and safe practices for transfer and storage.
+
+### 1. Basic Static | Basic Dynamic
+
+This section covers initial triage, static analysis, initial detonation, and the primary methodology of basic analysis.
+
+### 2. Advanced Static | Advanced Dynamic
+
+This section covers advanced malware analysis methodology and introduces Assembly, debugging, decompiling, and inspecting the Windows API at the ASM level.
+
+### 3. Speciality Class Malware
+
+This section covers different specialty classes of malware like maldocs, C# assemblies, and script-based malware. It also includes a section on mobile platform malware analysis.
+
+### 4. Bossfights!
+
+The Bossfights pit you against infamous real world samples of malware and require you to do a full analysis.
+
+### 5. Automation | Rule Writing | Report Writing
+
+This section covers effective report writing, Yara rule writing, and automating the initial stages of triage with Blue-Jupyter.
+
+### 6. Course Conclusion: Course Final | References | Resources | Further Readings
+
+The course final consists of a capstone in which you will combine all relevant skills in this course to write and publish open-source information about a given sample from the course.
+
+The course conclusion includes further readings, references, and helpful resources for further learning.
+
+`Please note:`  some samples are used multiple times in different sections. Check to make sure which sample the course videos are referencing and that you have the correct one for a given video.
+
+---
+
+## 🏋️‍♀️ Challenges 🏋️
+The challenge samples in this course are used as mini-capstones for the different sections. Each sample marked as a Challenge includes a set of questions to answer about the sample as well as an `answers/` directory. The README in the `answers/` directory contains brief answers to each question in the Challenge. Try to get as far as you can without looking at the answers first!
+
+---
+
+## Password 🔒
+Each sample is zipped and password protected. The password for all malware samples is `infected`.
+
+---
+
+## Report Template ☑
+In one of the final sections of the course, I teach how to write a simple Malware Analysis report. The template used in that section is [here](https://github.com/HuskyHacks/PMAT-labs/raw/main/labs/5-3.ReportWriting/ReportTemplate.docx). Feel free to use this as a template for this course or any other malware reports you want to create.
+
+<div align="center">
+
+  ![image](https://user-images.githubusercontent.com/57866415/137550867-19bc0ce1-5ad7-43ff-94ec-29fbc7719d7a.png)
+
+</div>
+
+## Cosmo? 🐈
+You may be wondering, why is there a picture of a handsome cat in the root directory?
+```
+cosmo.jpeg
+```
+That's Cosmo, my cat. He's not very good at malware analysis, so he's along for the ride to learn things. I don't have high hopes for him (he is just a cat after all).
+
+`cosmo.jpeg` serves two functions.
+
+### A Surrogate Data File
+
+The malware samples in this course are built to perform different functions. Some are designed to destroy data. Some are designed to steal it. Some don't touch your data at all.
+
+`cosmo.jpeg` is a placeholder for the precious, precious data that an average end user may have on their host. Some malware samples in this course will steal him, encrypt him, encode and exfiltrate him, the whole nine yards. So to accurately represent what data theft or destruction might look like, the custom written malware samples in this course are going to target this file specifically.
+
+It's a bit of a hefty file (about 1.6MB), unlike Cosmo himself who is not a hefty cat at all. So it should serve well as a data file placeholder.
+
+### Environmental Keying
+
+I wrote the samples for this course from the ground up to be as safe as possible. I am aware that putting malware samples out into the world, regardless of your intention for doing so, imparts risk. So to help mitigate the possibility that these samples could be used maliciously, I've keyed them to this particular file. This is a red team tactic that ensures a payload will only trigger if there are certain identifiers present in the environment. `cosmo.jpeg` present on the Desktop of FLAREVM acts as the key for most of the malware samples in this course.
+
+### Instructions
+When you are done downloading and extracting this lab repository, take `cosmo.jpeg` and copy it to the desktop of the Administrator user on the Windows FLAREVM host. That's all!
+
+
+
+<!--
+Links
+-->
+
+[release]:https://github.com/HuskyHacks/PMAT-labs/releases/
+[repo]:https://github.com/HuskyHacks/PMAT-labs/ "PMAT-lab repo ➶"
+[eula]:https://github.com/HuskyHacks/PMAT-labs/blob/main/EULA.md "EULA ➶"
+[course-link]: https://academy.tcm-sec.com/courses/practical-malware-analysis-triage
+
+<!--
+Badges
+-->
+
+[students]:https://img.shields.io/github/downloads/HuskyHacks/PMAT-labs/total?label=Students&style=for-the-badge
+[course]:https://img.shields.io/badge/Course-Available%20Now!-green?style=for-the-badge
+[img-version-badge]:https://img.shields.io/badge/Version-1.0%20%7C%20Oct%202021-blue?style=for-the-badge
+[lastcommit]:https://img.shields.io/github/last-commit/HuskyHacks/PMAT-labs?style=for-the-badge
+[img-license-badge]:https://img.shields.io/badge/license-eula-367588.svg?style=for-the-badge

labs/0-1.HandlingAndSafety/md5sum.txt

@@ -0,0 +1 @@
+041a28eda8a0b003ac54df9ef74d0069 Malware.Calc.exe.malz

labs/0-1.HandlingAndSafety/password.txt

@@ -0,0 +1 @@
+infected

labs/0-1.HandlingAndSafety/sha256sum.txt

@@ -0,0 +1 @@
+SHA256 300BB9AC1F607F99E3FBC7814B42552913EF4BCD2D2752F0F909908AE3E46AAF

labs/1-1.BasicStaticAnalysis/Malware.PackedAndNotPacked.exe.malz/md5sum.txt

@@ -0,0 +1,2 @@
+39f15ed00a66cc10efb238b7931ae4a8  Malware.NotPacked.exe.malz
+60ff78514d6df20c6e82b7b777151c5c  Malware.Packed.exe.malz

labs/1-1.BasicStaticAnalysis/Malware.PackedAndNotPacked.exe.malz/sha256sum.txt

@@ -0,0 +1,2 @@
+3b4773db51a514ef19515b0323fb46691176be163f2a6a71c643f65d9a211867  Malware.NotPacked.exe.malz
+3279fb36cf70bdc4d5ccf02e6be855681a39602a9506fbf4cee0bc92323e6a9d  Malware.Packed.exe.malz

labs/1-1.BasicStaticAnalysis/Malware.Unknown.exe.malz/README.txt

@@ -0,0 +1,5 @@
+Analyst,
+
+We do not have the file hashes for this sample yet. Please pull the hashes and submit.
+
+-RE Team

labs/1-1.BasicStaticAnalysis/Malware.Unknown.exe.malz/password.txt

@@ -0,0 +1 @@
+infected

labs/1-2.BasicDynamicAnalysis/RAT.Unknown.exe.malz/README.txt

@@ -0,0 +1,11 @@
+Analyst,
+
+Excellent work with the last sample. Please take a look at the one in this directory. Our IR team said it might have command execution capabilities, but we're not sure.
+
+Please proceed directly with Basic Dynamic Analysis and determine:
+- Network signatures
+- Host-based signatures
+- Command execution capabilities, if any
+- Any other findings
+
+RE Team

labs/1-2.BasicDynamicAnalysis/RAT.Unknown.exe.malz/hashes.txt

@@ -0,0 +1,3 @@
+md5,689FF2C6F94E31ABBA1DDEBF68BE810E
+sha1,69B8ECF6B7CDE185DAED76D66100B6A31FD1A668
+sha256,248D491F89A10EC3289EC4CA448B19384464329C442BAC395F680C4F3A345C8C

labs/1-2.BasicDynamicAnalysis/RAT.Unknown.exe.malz/password.txt

@@ -0,0 +1 @@
+infected

labs/1-2.BasicDynamicAnalysis/RAT.Unknown2.exe.malz/README.txt

@@ -0,0 +1,7 @@
+Analyst!
+
+Excellent work with the previous samples. You are reallly coming along with your skillset.
+
+We found another sample on an endpoint that looks similar to the last one. Give it the triage treatment and let us know what you find.
+
+RE Team

labs/1-2.BasicDynamicAnalysis/RAT.Unknown2.exe.malz/hashes.txt

@@ -0,0 +1,2 @@
+c211704777e168a5151de79dc87ffac7  RAT.Unknown2.exe.malz
+c522e0f1f9edb7e03c0a770e4c52a93db72dce21e7247322f4bbd5b053b967aab5240ce90d6aa65a79e3a3068f227346bf0190f9ca762fb8e8d076a58490d7a1  RAT.Unknown2.exe.malz

labs/1-2.BasicDynamicAnalysis/RAT.Unknown2.exe.malz/password.txt

@@ -0,0 +1 @@
+infected