Malware Classification TryHackMe Writeup

Overview

This room teaches how to identify, classify, and understand common types of malware, covering behavioral characteristics, specific malware families, and technical analysis methods.

Task 1: Malware Classification by Behavior

1.1 An employee reports that their system is slow, and monitoring shows constant high CPU usage. What type of malware is most likely responsible?

Answer: Cryptominer

1.2 Users suddenly lose access to their files, and a message appears demanding cryptocurrency in exchange for unlocking the data. Which malware fits this situation?

Answer: Ransomware

1.3 A user's browser opens pop-up windows even when no site is loaded. No data appears to be stolen or encrypted. What kind of malware is this most likely?

Answer: Adware

1.4 Sensitive internal documents are found posted online. Analysis shows the data came from a workstation that had a malicious program. Which malware type does this represent?

Answer: Data stealer

Task 2: Malware Families

2.1 A phishing campaign delivers malware that logs keystrokes, collects screenshots, and sends browser credentials to an external server. Which malware family does it most likely belong to?

Answer: Agent Tesla

2.2 An attacker sends a zero-click exploit that silently installs spyware to monitor calls, messages, and device location on a mobile phone. What known malware can be?

Answer: Pegasus

2.3 Which ransomware family is known for stealing data and threatening to leak it if payment is not made?

Answer: Akira

2.4 Which malware targeted energy companies by overwriting files with junk data?

Answer: Shamoon

Task 3: Malware Technical Characteristics

3.1 What command-line tool is frequently used by script-based malware to download payloads?

Answer: PowerShell

3.2 Which file extension is commonly associated with malware and Windows executables, other than .exe?

Answer: .bat

3.3 Which malware type is more likely to leave identifiable byte patterns used by antivirus software?

Answer: Binary

Task 4: Final Challenge

4. What is the flag?

Answer: THM{Malwar3_cl4ss1fication_p4ss3d}

Lessons Learned

Cryptominers cause high CPU usage by performing cryptocurrency mining operations
Ransomware encrypts files and demands payment for decryption
Adware displays unwanted advertisements without necessarily stealing data
Data stealers exfiltrate sensitive information from compromised systems
Agent Tesla is a commercial spyware that steals browser credentials and keystrokes
Pegasus is a sophisticated spyware targeting mobile devices and journalists
Akira ransomware combines encryption with data theft and leak threats
Shamoon malware specifically targeted energy companies with destructive attacks
PowerShell is commonly abused by malware for script execution and payload delivery
.bat files (batch scripts) can contain malicious commands and are common in Windows malware
Binary malware leaves identifiable signatures that antivirus software can detect
Proper malware classification helps determine appropriate response and mitigation strategies
Understanding malware behaviors aids in developing effective defense mechanisms
Malware analysis requires combining behavioral observations with technical analysis

Malware Classification Writeup