FlareVM Malware Analysis – TryHackMe Walkthrough

 


FlareVM Malware Analysis – TryHackMe Walkthrough

Introduction

FlareVM (Forensics, Logic Analysis, and Reverse Engineering) is a specialized Windows environment designed for malware analysis, digital forensics, reverse engineering, and incident response. It contains a large collection of tools widely used by cybersecurity professionals.

FlareVM was developed by the FLARE Team at FireEye to help analysts investigate malicious software safely in an isolated environment.

In this lab, we explored different tools in FlareVM and performed static and dynamic malware analysis on suspicious executable files.

Objectives

  • Explore the tools inside FlareVM

  • Understand malware investigation techniques

  • Perform static and dynamic analysis

  • Investigate suspicious executable files

Categories of Tools in FlareVM

FlareVM contains many tools grouped by their functionality.

Reverse Engineering & Debugging

These tools help analysts understand how compiled programs work internally.

Tools include:

  • Ghidra

  • x64dbg

  • OllyDbg

  • Radare2

  • Binary Ninja

  • PEiD

Answer

Which tool is an open-source debugger for binaries in x64 and x32 formats?

Answer: x64dbg

Disassemblers & Decompilers

These tools convert machine code back into readable instructions.

Tools include:

  • CFF Explorer

  • Hopper Disassembler

  • RetDec

Answer

What tool is designed to analyze and edit Portable Executable files?

Answer: CFF Explorer

Static & Dynamic Analysis Tools

These tools help analyze malware behavior without executing it or while running it.

Examples:

  • Process Hacker

  • PEview

  • Dependency Walker

  • Detect It Easy

Answer

Which tool is a sophisticated memory editor and process watcher?

Answer: Process Hacker

Digital Forensics Tools

These tools help collect and analyze digital evidence.

Examples:

  • Volatility

  • Rekall

  • FTK Imager

Answer

Which tool is used for disk image acquisition and forensic analysis?

Answer: FTK Imager

File Analysis Tools

Used for inspecting binary files and hexadecimal data.

Examples:

  • FileInsight

  • Hex Fiend

  • HxD

Answer

What tool can be used to view and edit a binary file?

Answer: HxD

Common Investigation Tools

The lab focused on several commonly used tools.

ToolPurpose
Process MonitorTracks system activity
Process ExplorerShows running processes
HxDHex editor
WiresharkNetwork traffic analysis
CFF ExplorerPE file analysis
PEStudioStatic malware analysis
FLOSSExtracts hidden strings

Investigation Questions and Answers

String Analysis

Which tool was formerly known as FireEye Labs Obfuscated String Solver?

Answer: FLOSS

Process Monitoring

Which tool offers insights into active processes?

Answer: Process Explorer

Under what process can we find smss.exe?

Answer: System

System Monitoring

Which Windows tool records issues with applications?

Answer: Procmon

Static Analysis Tool

Which tool analyzes executable files without running them?

Answer: PEStudio

File Hash Analysis

SHA256 of cryptominer.bin

Answer:

E9627EBAAC562067759681DCEBA8DDE8D83B1D813AF8181948C549E342F67C0E

Function Count

How many functions does cryptominer.bin contain?

Answer: 102

File Verification Tool

Which tool generates file hashes and validates system files?

Answer: CFF Explorer

File Hash Investigation

MD5 of possible_medusa.txt

Answer:

646698572AFBBF24F50EC5681FEB2DB7

DOS Header Analysis

What is the e_magic value of the file?

Answer:

5A4D

This value represents the MZ header, which indicates a Windows executable file.

Malware File Investigation

Next, we analyzed a suspicious file called windows.exe.

The investigation was performed using PEStudio.

Entropy Analysis

Entropy value of windows.exe

Answer:

7.999

High entropy often indicates packing or encryption, which is commonly used by malware to evade detection.

Manifest Analysis

Value under requestedExecutionLevel

Answer:

requireAdministrator

This means the program requests administrator privileges, which can be suspicious.

Shell Execution Function

Function allowing OS shell to execute processes

Answer:

set_UseShellExecute

Malware often uses this to launch additional processes.

Cryptographic API

API starting with R used for encryption

Answer:

RijndaelManaged

This indicates the use of AES encryption.

Network Behavior Analysis

We analyzed cobaltstrike.exe using:

  • Process Explorer

  • Process Monitor

Import Hash

Imphash of cobaltstrike.exe

92EEF189FB188C541CBD83AC8BA4ACF5

Command and Control Server

Defanged C2 IP Address

47[.]120[.]46[.]210

Defanging prevents accidental clicking or connection.

Destination Port

Port used by the malware

81

Parent Process

Parent process of cobaltstrike.exe

explorer.exe

This indicates the file was likely launched by a user through Windows Explorer.

Conclusion

In this lab, we explored the powerful malware analysis environment FlareVM and learned how cybersecurity analysts investigate suspicious files.

We used tools like:

  • PEStudio for static analysis

  • FLOSS for string extraction

  • Process Explorer for process analysis

  • Process Monitor for system monitoring

  • CFF Explorer for PE inspection

The investigation revealed:

  • The malware was packed or encrypted

  • It required administrator privileges

  • It used AES encryption

  • It connected to a Command and Control server

This exercise demonstrates the real-world workflow used by malware analysts and incident responders.

Comments

Post a Comment

Popular Posts