Palo Alto Challenge – Malware Analisys of the file dragonball7.zip

Written by Gil Lodrik

The following report details the analysis of the malware sample dragonball.zip.zip (SHA-256: 65250e18a5672ece636e7774bc9f9d2f1f065386de80009a7d5153e88df2bd26), conducted in accordance with Palo Alto Networks’ Threat Researcher Candidate Home Assignment requirements.

The analysis was performed in a controlled virtual environment adhering to industry safety standards. Key findings, including malware classification, capabilities, and detection methodologies, are summarized below.

Phase 1 – Static Analysis:

The original dragonball7.zip was extracted by the Windows built in extraction mechanism.

After the extraction process, we can see the following dragonball.bin file:

It is a common practice for bad actors to change the malware’s extensions to another file type in order to make the analysis more difficult (disguise the real purpose of the file).

WinHex Tool:

To uncover the true nature and actual file type of the file, we should first examine its content using the WinHex tool. This will allow us to better understand the malware:

Here is a beakdown of the file type:

1. File Identification

• Magic Bytes: 4D 5A at offset 00000000 (MZ header), confirming this is a Windows PE executable (despite the .bin extension).

• PE Header: At offset 00000080, we see 50 45 00 00 (PE..), further confirming it’s a Portable Executable (PE) file.

PE Studio Tool:

Now that we know that the file type is a Windows PE executable, we will statically analyse the file behaviour.

File Imports: