PMAT-labs – Labs For Practical Malware Analysis And Triage

Cosmo?

You may be wondering, why is there a picture of a handsome cat in the root directory?

cosmo.jpeg

That’s Cosmo, my cat. He’s not very good at malware analysis, so he’s along for the ride to learn things. I don’t have high hopes for him (he is just a cat after all).

cosmo.jpeg serves two functions.

A Surrogate Data File

The malware samples in this course are built to perform different functions. Some are designed to destroy data. Some are designed to steal it. Some don’t touch your data at all.

cosmo.jpeg is a placeholder for the precious, precious data that an average end user may have on their host. Some malware samples in this course will steal him, encrypt him, encode and exfiltrate him, the whole nine yards. So to accurately represent what data theft or destruction might look like, the custom written malware samples in this course are going to target this file specifically.

It’s a bit of a hefty file (about 1.6MB), unlike Cosmo himself who is not a hefty cat at all. So it should serve well as a data file placeholder.

Environmental Keying

I wrote the samples for this course from the ground up to be as safe as possible. I am aware that putting malware samples out into the world, regardless of your intention for doing so, imparts risk. So to help mitigate the possibility that these samples could be used maliciously, I’ve keyed them to this particular file. This is a red team tactic that ensures a payload will only trigger if there are certain identifiers present in the environment. cosmo.jpeg present on the Desktop of FLARE-VM acts as the key for most of the malware samples in this course.

Instructions

When you are done downloading and extracting this lab repository, take cosmo.jpeg and copy it to the desktop of the main user account on the Windows FLARE-VM host. That’s all!