TryHackMe: Advent of Cyber - Day 20 - What’s the Worst That Could Happen?
This is a write up for the Day 20 - What’s the Worst That Could Happen? challenge in the Advent of Cyber room on TryHackMe. Some tasks may have been omitted as they do not require an answer.
Open the terminal and navigate to the file on the desktop named ‘testfile’. Using the ‘strings’ command, check the strings in the file. There is only a single line of output to the ‘strings’ command. What is the output?
Answer: X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
Check the file type of ‘testfile’ using the ‘file’ command. What is the file type?
Answer: EICAR virus test files
Calculate the file’s hash and search for it on VirusTotal. When was the file first seen in the wild?
md5sum testfile
Search the md5 hash on Virus Total. https://www.virustotal.com/gui/file/275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f/details
Answer: 2005-10-17 22:03:48
On VirusTotal’s detection tab, what is the classification assigned to the file by Microsoft?
Answer: Virus:DOS/EICAR_Test_File
Go to this link to learn more about this file and what it is used for. What were the first two names of this file?
Answer: ducklin.htm or ducklin-html.htm
The file has 68 characters in the start known as the known string. It can be appended with whitespace characters upto a limited number of characters. What is the maximum number of total characters that can be in the file?
Answer: 128
Recap
In this task we learnt:
- How to identify the file type of a file regardless of file extension
- How to find strings in a file
- How to calculate hash of a file
- Using VirusTotal to perform preliminary analysis of a suspicious file