TryHackMe: Advent of Cyber - Day 20 - What’s the Worst That Could Happen?

This is a write up for the Day 20 - What’s the Worst That Could Happen? challenge in the Advent of Cyber room on TryHackMe. Some tasks may have been omitted as they do not require an answer.

Open the terminal and navigate to the file on the desktop named ‘testfile’. Using the ‘strings’ command, check the strings in the file. There is only a single line of output to the ‘strings’ command. What is the output?Permalink

Answer: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*

Check the file type of ‘testfile’ using the ‘file’ command. What is the file type?Permalink

Answer: EICAR virus test files

Calculate the file’s hash and search for it on VirusTotal. When was the file first seen in the wild?Permalink

md5sum testfile

Search the md5 hash on Virus Total. https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/details

Answer: 2005-10-17 22:03:48

On VirusTotal’s detection tab, what is the classification assigned to the file by Microsoft?Permalink

Answer: Virus:DOS/EICAR_Test_File

Go to this link to learn more about this file and what it is used for. What were the first two names of this file?Permalink

Answer: ducklin.htm or ducklin-html.htm

The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?Permalink

Answer: 128

RecapPermalink

In this task we learnt:

• How to identify the file type of a file regardless of file extension
• How to find strings in a file
• How to calculate hash of a file
• Using VirusTotal to perform preliminary analysis of a suspicious file