Deobfuscation | Triage 

This sample has several decoder functions, adds a number of types using C# and imports a set of functions from kernel32.dll many of you will recognise. 

In order to analyse the sample, I perform the following tasks:

• Recover the obfuscated payloads from Event logs
• Deobfuscate the PowerShell invoker
  
• Recover the XORed Netwalker binaries
• Triage the NetWalker samples
• Reverse Engineering the method of execution

Hunt | Learn

I designed and created these evidences to train DFIR specialists in the British Army.

Available to download, including:

• Training package
• File system image
• Memory capture
• Network traffic capture
• Walkthrough

The questions are designed to guide a beginner through their investigation. Can you identify the indicators of compromise and attribute the attacker's actions on the  compromised machine?