This exercise explores a modern type of malware known as ransomware. You will do the work on the Immersive Labs platform, so make sure you have set up access before you begin.

WannaCry

1. Login to Immersive Labs and start the WannaCry lab. While you wait for the Windows VM to spin up, click on the Info button at the top-right of the screen and read the background information provided on WannaCry.

2. When the Windows VM is ready, double-click on the file SECRETS.txt on the desktop. Then click the Tasks button at the top-right of the screen and answer Question 1.

3. Close Notepad, then double-click on the WannaCry icon on the desktop. Then wait a while, until the malware changes the desktop background and runs its GUI.

   Notice how SECRETS.txt has been replaced on the desktop with an encrypted version. Right-click on the icon for this encrypted version and choose Open with Notepad++, to confirm that the file no longer contains intelligible text.

   Note: Although WannaCry is triggered manually for the purposes of this exercise, keep in mind that in reality the malware spreads without human interaction, by exploiting a software vulnerability in unpatched Windows systems.

4. Reopen the tasks panel and answer the remaining questions, using the information provided by WannaCry’s GUI. Click Submit to complete the lab.

   

Bad Rabbit

1. Start the Bad Rabbit lab. While you wait for the Windows VM to spin up, click on the Info button at the top-right of the screen and read the background information provided on Bad Rabbit.

2. When the Windows VM desktop is visible, double-click on the Tools folder, drill down until you find pestudio.exe and double-click on the program to run it. Load the malware by dragging badrabbit.exe from the Malware folder onto the pestudio UI. Then run the FileAlyzer application from the Tools folder and open badrabbit.exe.

3. Click on the Tasks button at the top-right of the screen to reveal the four questions. Answer each question, using the results displayed by pestudio and FileAlyzer. Check each answer by clicking Submit after entering it. Answering all four questions correctly will complete the lab.

   Hints:

   • You’ll need to select ‘strings’, ‘indicators’ and ‘imports’ from the panel on the left of the pestudio UI to answer the first three questions. You can click on a column heading to sort the table of results, which will make answering Q1 & Q3 easier.

   • For Q1, you should be looking for a web URL, though the question only wants the domain name part.

   • What Q2 refers to as ‘Priority’ is actually labelled ‘Severity’ in pestudio.

□