I’ve been studying for the past few months for my Security+, worried about making sure I filled the knowledge gaps I might’ve had to get a decent score. As of this morning, I’m finally finished and certified with a 792. Not the best score possible, but a passing score nonetheless! I figured I would throw some thoughts down in case any of my readers are thinking of getting the certification and wondering what sort of study materials to go through.
Most of the time I spent was going through Darril Gibson’s “Get Certified, Get Ahead” study guide – designed for the previous SYO-601 version of the test, but still relevant to the content in the SYO-701. The book is a bit dense at times, but covers the topics on the test pretty thoroughly, at least enough to get you most of the way there with some additional work.
Secondly, I used Professor Messer’s course – primarily primarily his practice tests. Going through and making note of subjects that I missed questions on, then watching his videos and reading the course notes really helped cement some subjects on the test I was weaker on. There’s a decent amount of video there – around 15 hours of total coverage, which will take you a bit to cover and completely absorb depending on how familiar you are with the subject matter. It’s invaluably good as a study guide, though.
I attempted using the official CompTIA study material as well through the education store, however it didn’t quite click for me. The videos weren’t quite as engaging as Professor Messer’s course, and a bit tedious to get through. Not that they won’t work for you, but they weren’t really worth it for me. Reminder as well that a .edu email address gets you the education discount on a voucher, as well.
What’s next? Splunk Power User and CCNA probably, but for now I take a bit of a study break. Stay tuned!
This is a dynamic analysis conducted on a malware sample (named locky.7z) provided during a class of mine. This writeup is an adaptation of the lab report I wrote for this class to note down what I learned and explore the malware sample.
To begin with, I downloaded the sample onto an airgapped system running Mandiant’s FLARE virtual machine. I extracted the sample from the 7z file to the desktop and started by investigating whether or not a packer had been used to obfuscate the code. To do so, I started by loading it into Detect it Easy and scanned the file, as shown below:
Examining the results, we can see that there are three sections identified as packed by DIE, though no obvious information about what packer might have been used. To attempt to go deeper, I ran the malware through Universal Extractor, which threw an error indicating that the malware might contain a 7z archive (annoying, but a vital piece of information in the puzzle). Moving over to 7zip, I opened the executable file and found the contents:
Taking the unpacked malware, I threw the contents into Ghidra to attempt to get a better idea of what it might do. Specifically, I took a look at the imports table to try and get an idea of what functions the sample was importing from Windows libraries. Below are the results: the malware imports the DLLs ADVAPI32, COMCTL32, GDI32, IPHLPAPI, KERNEL32, MSIMG32, MSVCRT, OLE32, OLEAUT32, OLEDLG, PSAPI, SHELL32, SHLWAPI, USER32, USERENV, VERSION, WINHTTP, and WTSAPI32.
Examining this list, there are a few libraries that immediately caught my attention, starting with WTSAPI32.dll, which handles Remote Desktop services for Windows. Expanding WTSAPI32, there are two functions imported: WTSEnumerateSessionsW and WTSFreeMemory. WTSEnumerateSessionsW is a built-in Windows function that retrieves a list of all the sessions on a Remote Desktop Session Host server, while WTSFreeMemory will free up memory allocated by a Remote Desktop Services function. The two of these functions imply that the malware is potentially interacting with Remote Desktop Services, either starting a session with the attacker or attempting to read and steal information for further exploitation or to find the potentially sensitive files related to existing sessions on the victim system. Given that none of the other functions are imported, I believe that this is attempting to find sensitive information either for other computers on the network or for sessions on the victim system itself.
Next is ADVAPI32.dll, which is a library that provides security calls and functions relating to the Windows registry. This lends itself to doing major damage to the system. A variety of functions are imported from the DLL by the malware, most interestingly those that handle looking up security info, manipulating the registry, and creating or deleting services – all of which could potentially be used to damage the system and steal sensitive data.
Continuing the analysis, I had a look over the functions that Ghidra had built out while decompiling the malware. There is one particular function, “FUN_0040246c”, that appears to contain the main functions of the malware. This function takes the output of “FUN_00402a5f”, itself started by the “entry” function, as shown below. The outgoing calls from this function (bottom picture) seem to handle examining the system the malware is running on (tGetCurrentThread, GetVersion, RegOpenKeyW etc.).
Based off the imports and functions in the malware, it is at least capable of reading, writing, and manipulating files, examining processes on the system, reading and modifying the registry, and accessing deep levels of system data – including looking into remote desktop sessions that the victim may be hosting. The access afforded by kernel and video-related DLLs (such as GDI32.dll) implies that the software is potentially capable of messaging the user or altering displayed information. Finally, the internet capabilities from WINHTTP.DLL implies that the malware is capable of accessing the internet, manipulating the user’s ability to access the internet, or at least monitoring the user’s internet activity.
This isn’t a complete examination, but I hope it was at least interesting to read along with my work!
Hello, readers! I am a Digital Forensics grad student working in cybersecurity in the DMV area – this blog will be a place for me to post analysis and thoughts on DFIR topics, programming, and other related projects as I continue through my professional journey. Feel free to tag along!
Michael's DFIR Blog 
You must be logged in to post a comment.