_labs/software_and_malware_analysis/11_coconut.md

---
title: "Malware Behaviour - Reverse Engineering and Analysis of the Coconut Malware Sample"
author: ["Tom Shaw", "Mo Hassan", "Z. Cliffe Schreuders"]
license: "CC BY-SA 4.0"
description: "Advanced malware analysis lab using Hackerbot to analyze the Coconut malware sample, including packer identification, network analysis, backdoor detection, and YARA rule creation."
overview: |
  This lab provides hands-on experience with advanced malware analysis techniques using the Coconut malware sample. You will work with Hackerbot, an interactive chatbot that guides you through a series of practical challenges and quiz questions about the malware sample. The lab covers packer identification, network analysis, backdoor detection, file exfiltration, and YARA rule creation.

  The victim_server has been infected with a malware sample, and your desktop analysis machine has a copy of the binary sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system.
tags: ["malware-analysis", "reverse-engineering", "hackerbot", "coconut", "backdoor", "yara", "network-analysis", "ctf"]
categories: ["software_and_malware_analysis"]
type: ["ctf-lab", "lab-sheet"]
difficulty: "intermediate"
cybok:
  - ka: "MAT"
    topic: "Malware Analysis"
    keywords: ["analysis techniques", "analysis environments", "malware behavior"]
---

## Getting Started {#getting-started}
### VMs in This Lab {#vms-in-this-lab}

==VM: Start these VMs== (if you haven't already):
- **hackerbot_server** (leave it running, you don't log into this)
- **desktop**
- **victim_server**

### Your Login Details for the "Desktop" VM {#your-login-details-for-the-desktop-vm}

> Note: Password: `tiaspbiqe2r` (**t**his **i**s **a** **s**ecure **p**assword **b**ut **i**s **q**uite **e**asy **2** **r**emember)

> Note: You won't login to the hackerbot_server, but the VM needs to be running to complete the lab.

## Meet Hackerbot! {#meet-hackerbot}

This exercise involves Hackerbot, a chatbot who will interact with you and your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you.

**On the desktop VM:**

==action: Open Pidgin and send some messages to Hackerbot:==

- Try asking Hackerbot some questions
- Send "help"
- Send "list"
- Send "hello"


## Introduction {#introdution}

The victim_server has been infected with a malware sample. Your desktop analysis machine has a copy of the binary sample which is running on the victim_server at the path: `/home/==edit: main_user==/malware/coconut`.

This task involves analysing the coconut malware sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system (victim_server).

## Advanced Analysis Techniques {#advanced-analysis-techniques}

Before attempting the Hackerbot challenges, you'll need to understand several advanced techniques used in malware analysis.

### YARA Rule Creation {#yara-rule-creation}

YARA (Yet Another Recursive Acronym) is a powerful pattern-matching tool used to identify and classify malware samples. YARA rules are written in a simple, yet expressive language that allows analysts to create signatures for malware detection.

#### Key YARA Concepts:
- **Rules**: Contain metadata and conditions for pattern matching
- **Strings**: Define patterns to search for in files
- **Conditions**: Specify when a rule should trigger
- **False Positives**: Rules that incorrectly match legitimate files

#### Basic YARA Rule Structure:
```yaml
rule RuleName {
    meta:
        description = "Description of what the rule detects"
        author = "Your name"
        date = "2024-01-01"
    
    strings:
        $string1 = "malicious_pattern" ascii
        $string2 = { 48 65 6C 6C 6F } // hex pattern
    
    condition:
        any of them
}
```

> Tip: Effective YARA rules should be specific enough to catch the target malware while avoiding false positives on legitimate system files.

### Advanced Malware Behavior Analysis {#advanced-malware-behavior-analysis}

The Coconut malware sample demonstrates sophisticated attack techniques that require comprehensive analysis skills:

#### Analysis Techniques Covered:
- **Packer Identification** - Detecting packers
- **Network Behavior Analysis** - Identifying open ports and communication
- **Backdoor Detection** - Finding hidden access mechanisms
- **Function Analysis** - Understanding malware capabilities
- **Data Exfiltration** - Extracting files from infected systems

#### Multi-Vector Attack Analysis:
The Coconut malware uses multiple attack vectors:
- **HTTP backdoors** - Web-based remote access
- **ICMP shells** - Covert communication channels
- **Bind shells** - Direct network access
- **Session management** - Timeout and authentication features

> Warning: This lab involves analyzing real malware. Ensure you're working in the provided isolated environment.

### File Exfiltration and Data Recovery {#file-exfiltration-and-data-recovery}

One of the key objectives in malware analysis is understanding what data attackers can access and extract:

#### Exfiltration Techniques:
- **Backdoor access** - Using malware's own mechanisms
- **File transfer** - Moving data from infected systems
- **Integrity verification** - Ensuring complete data transfer
- **Steganography detection** - Finding hidden data

#### Analysis Objectives:
- Identify accessible files on the infected system
- Use backdoor mechanisms to extract data
- Verify file integrity using checksums
- Understand attacker capabilities and objectives

### Interactive Analysis with Hackerbot {#interactive-analysis-with-hackerbot}

Hackerbot is a chatbot designed to guide you through the challenges. Unlike traditional labs, Hackerbot provides:

#### Key Features:
- **Interactive guidance** - Step-by-step analysis assistance
- **Real-time feedback** - Immediate validation of your analysis
- **Progressive challenges** - Increasingly complex analysis tasks
- **Flag rewards** - Immediate recognition of successful completion

#### Communication Commands:
- `help` - Get assistance with available commands
- `list` - View available challenges
- `ready` - Indicate you're ready for the next challenge
- `answer X` - Submit your answer to a quiz question

> Note: Hackerbot will guide you through packer identification, network analysis, backdoor detection, and YARA rule creation for the Coconut malware sample.


## Hackerbot Challenges {#hackerbot-challenges}

> Flag: Interact with Hackerbot, and complete the tasks. Submit the flags into Hacktivity.
Add Coconut Malware Analysis Lab Documentation - Introduced a new lab focused on the reverse engineering and analysis of the Coconut malware sample, providing hands-on experience with advanced malware analysis techniques. - Included sections on packer identification, network analysis, backdoor detection, and YARA rule creation, along with interactive challenges facilitated by Hackerbot. - Enhanced documentation with detailed descriptions, tags, and structured content to improve accessibility and user engagement. 2025-10-01 12:12:18 +01:00			`---`
			`title: "Malware Behaviour - Reverse Engineering and Analysis of the Coconut Malware Sample"`
Update authors for Coconut Malware Analysis Lab 2025-10-01 12:23:59 +01:00			`author: ["Tom Shaw", "Mo Hassan", "Z. Cliffe Schreuders"]`
Add Coconut Malware Analysis Lab Documentation - Introduced a new lab focused on the reverse engineering and analysis of the Coconut malware sample, providing hands-on experience with advanced malware analysis techniques. - Included sections on packer identification, network analysis, backdoor detection, and YARA rule creation, along with interactive challenges facilitated by Hackerbot. - Enhanced documentation with detailed descriptions, tags, and structured content to improve accessibility and user engagement. 2025-10-01 12:12:18 +01:00			`license: "CC BY-SA 4.0"`
			`description: "Advanced malware analysis lab using Hackerbot to analyze the Coconut malware sample, including packer identification, network analysis, backdoor detection, and YARA rule creation."`
			`overview: \|`
			`This lab provides hands-on experience with advanced malware analysis techniques using the Coconut malware sample. You will work with Hackerbot, an interactive chatbot that guides you through a series of practical challenges and quiz questions about the malware sample. The lab covers packer identification, network analysis, backdoor detection, file exfiltration, and YARA rule creation.`

			`The victim_server has been infected with a malware sample, and your desktop analysis machine has a copy of the binary sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system.`
			`tags: ["malware-analysis", "reverse-engineering", "hackerbot", "coconut", "backdoor", "yara", "network-analysis", "ctf"]`
			`categories: ["software_and_malware_analysis"]`
			`type: ["ctf-lab", "lab-sheet"]`
			`difficulty: "intermediate"`
			`cybok:`
			`- ka: "MAT"`
			`topic: "Malware Analysis"`
			`keywords: ["analysis techniques", "analysis environments", "malware behavior"]`
			`---`

			`## Getting Started {#getting-started}`
			`### VMs in This Lab {#vms-in-this-lab}`

			`==VM: Start these VMs== (if you haven't already):`
			`- hackerbot_server (leave it running, you don't log into this)`
			`- desktop`
			`- victim_server`

			`### Your Login Details for the "Desktop" VM {#your-login-details-for-the-desktop-vm}`

			> Note: Password: `tiaspbiqe2r` (this is a secure password but is quite easy 2 remember)

			`> Note: You won't login to the hackerbot_server, but the VM needs to be running to complete the lab.`

			`## Meet Hackerbot! {#meet-hackerbot}`

			`This exercise involves Hackerbot, a chatbot who will interact with you and your system. If you satisfy Hackerbot by completing the challenges she will reveal flags to you.`

			`On the desktop VM:`

			`==action: Open Pidgin and send some messages to Hackerbot:==`

			`- Try asking Hackerbot some questions`
			`- Send "help"`
			`- Send "list"`
			`- Send "hello"`


			`## Introduction {#introdution}`

			The victim_server has been infected with a malware sample. Your desktop analysis machine has a copy of the binary sample which is running on the victim_server at the path: `/home/==edit: main_user==/malware/coconut`.

			`This task involves analysing the coconut malware sample. Hackerbot will provide you with a series of practical challenges and quiz questions about the malware sample and reward you with flags for successful completion. Further flags can be found on the infected system (victim_server).`

			`## Advanced Analysis Techniques {#advanced-analysis-techniques}`

			`Before attempting the Hackerbot challenges, you'll need to understand several advanced techniques used in malware analysis.`

			`### YARA Rule Creation {#yara-rule-creation}`

			`YARA (Yet Another Recursive Acronym) is a powerful pattern-matching tool used to identify and classify malware samples. YARA rules are written in a simple, yet expressive language that allows analysts to create signatures for malware detection.`

			`#### Key YARA Concepts:`
			`- Rules: Contain metadata and conditions for pattern matching`
			`- Strings: Define patterns to search for in files`
			`- Conditions: Specify when a rule should trigger`
			`- False Positives: Rules that incorrectly match legitimate files`

			`#### Basic YARA Rule Structure:`
			```yaml
			`rule RuleName {`
			`meta:`
			`description = "Description of what the rule detects"`
			`author = "Your name"`
			`date = "2024-01-01"`

			`strings:`
			`$string1 = "malicious_pattern" ascii`
			`$string2 = { 48 65 6C 6C 6F } // hex pattern`

			`condition:`
			`any of them`
			`}`
			```

			`> Tip: Effective YARA rules should be specific enough to catch the target malware while avoiding false positives on legitimate system files.`

			`### Advanced Malware Behavior Analysis {#advanced-malware-behavior-analysis}`

			`The Coconut malware sample demonstrates sophisticated attack techniques that require comprehensive analysis skills:`

			`#### Analysis Techniques Covered:`
			`- Packer Identification - Detecting packers`
			`- Network Behavior Analysis - Identifying open ports and communication`
			`- Backdoor Detection - Finding hidden access mechanisms`
			`- Function Analysis - Understanding malware capabilities`
			`- Data Exfiltration - Extracting files from infected systems`

			`#### Multi-Vector Attack Analysis:`
			`The Coconut malware uses multiple attack vectors:`
			`- HTTP backdoors - Web-based remote access`
			`- ICMP shells - Covert communication channels`
			`- Bind shells - Direct network access`
			`- Session management - Timeout and authentication features`

			`> Warning: This lab involves analyzing real malware. Ensure you're working in the provided isolated environment.`

			`### File Exfiltration and Data Recovery {#file-exfiltration-and-data-recovery}`

			`One of the key objectives in malware analysis is understanding what data attackers can access and extract:`

			`#### Exfiltration Techniques:`
			`- Backdoor access - Using malware's own mechanisms`
			`- File transfer - Moving data from infected systems`
			`- Integrity verification - Ensuring complete data transfer`
			`- Steganography detection - Finding hidden data`

			`#### Analysis Objectives:`
			`- Identify accessible files on the infected system`
			`- Use backdoor mechanisms to extract data`
			`- Verify file integrity using checksums`
			`- Understand attacker capabilities and objectives`

			`### Interactive Analysis with Hackerbot {#interactive-analysis-with-hackerbot}`

			`Hackerbot is a chatbot designed to guide you through the challenges. Unlike traditional labs, Hackerbot provides:`

			`#### Key Features:`
			`- Interactive guidance - Step-by-step analysis assistance`
			`- Real-time feedback - Immediate validation of your analysis`
			`- Progressive challenges - Increasingly complex analysis tasks`
			`- Flag rewards - Immediate recognition of successful completion`

			`#### Communication Commands:`
			- `help` - Get assistance with available commands
			- `list` - View available challenges
			- `ready` - Indicate you're ready for the next challenge
			- `answer X` - Submit your answer to a quiz question

			`> Note: Hackerbot will guide you through packer identification, network analysis, backdoor detection, and YARA rule creation for the Coconut malware sample.`


			`## Hackerbot Challenges {#hackerbot-challenges}`

			`> Flag: Interact with Hackerbot, and complete the tasks. Submit the flags into Hacktivity.`