The malware sample packs for each chapter are password protected, have I missed where this password was provided or something?

1. The TricBot.xls in chapter3.zip does not have a macro. I opened the file and there is no "enable editing" bar, then I checked the macro editor, and there is no macro. Did I miss something?
2. Alos, the chapter 6 of the book uses TricBot as an example, but the code is included in chapter3.zip. Chapter6.zip include a sample called unknown.exe, which is used in Chapter 5. It looks like the sample code is misplaced.

Please help @Packt-ITService @AbsoZed

The _dump2.exe sample for demonstrating Ghidra is missing from the Chapter 5 Archive. The sample included in the Chapter 5 Archive is for Chapter 6.

Hey,

I have been looking through the first 3 chapters of the book and it feels like a lot of the practical examples are unclear, incomplete or there is contradictory information.

In the second chapter ssdeep and filetype are referenced as necessary programs. However, on page 31 the supposed link to ssdeep is just a link to this github repository where, as far as I am aware, no such binary exists. As such you are left to find these for yourself.

The same problem exists for the filetype.exe program which again uses a reference to this github and not a link to where one can find this program (page 36).

On page 44 we start with the examination of Emotet but this sample is not in the corresponding zip. Unclear if this wasn't meant to be a follow along example.

There is contradicting information at the beginning of every chapter where it states that an internet connection is required where as it was emphasized that one should never have an open internet connection in their VM. For beginners this is really confusing especially when they have no grasp of the consequences or executions certain malware samples may perform.

As far as I can see there are also some problems with the challenges.

Examples:
In the Chapter 2 zip there are currently 4 malware samples all required to work along with the second chapter in the book. It would be logical to think that the corresponding samples required for challenge 1 and 2 are also in this same folder.

The first challenge seems to focus mainly on sample.dll in the chapter 2 zip but isn't mentioned anywhere explicitly.

The second challenge references a sample that is not present in the chapter 2 or any subsequent zip folders and I doubt you are supposed as a beginner to look for a sample of wannacry. If this was indeed the case then this was unclear.

For the third challenge you are supposed to again use a sample link so I am assuming you are supposed to use the one in the chapter 3 zip; Trickbot.xls. However, if one has followed the instructions of setting up the VM you will not be equipped with a program to open the file.

These are the first few things I ran into that I found troublesome and I am afraid I will bump into more.

Solutions:

• If network connectivity during malware execution is not dangerous for the host, explicitly state so in a readme file in the desginated folder.
• This simple readme in each zip folder could also be used to indicate which sample belongs to which challenge which would be great.
• To actually include all the samples used in the book would also be great.
• Another idea is that instead of having the readers type out each line from the powershell script, just include the final script since this minimizes the risk of typing errors which may cause the reader to stop since they may not know what they are doing if something goes wrong.

There also seems to be a problem with the script:
$Before = Get-Date yyyy/mm/dd $After = Get-Date yyyy/mm/dd Get-WinEvent -FilterHashtable @{LogName = 'Security'; StartTime = $After; EndTime = $Before; Id = '4624'} | Where {$_.Message -match "Logon Type:=\s+10"} | Select TimeCreated, Message

Produces the following error:
Get-WinEvent : No events were found that match the specified selection criteria. At {Path to shell script} ... \+ Get-WinEvent - FilterHashtable @{LogName = 'Security'; ... \+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception \+ FullyQualifiedErrorId: NoMatchingEventsFound,Microsoft.Powershell.Commands.GetWinEventCommand

as well as the fact that the pattern matching for seems to return nothing.

I hope these problems can be fixed with additional files in this malware repo.

In Chapter4.zip, there is a file "Bazar.xlsb", but I could not find any place in the textbook using this file. What is for?
@AbsoZed @Packt-ITService @packtutkarshr @arunpackt @sarvesh-packt

Thank you!

hi,
where can we download the files 88888888.png page (75)

thank you

Windows defender automatically deletes the zip file after it was downloaded. Isn't the zip file password-protected?

Hello,

For chapter 4 it appears the challenge section references the "Locky" sample. But in the download the only available file is "Bazar.xlsb" is this the same file with just a different name?