In this article, we’ll cover the Sandboxes - If I can't find a nice malware to use, I'm not going, write-up as the Day 6 challenge of the Advent of Cyber event challenge. It was interesting to use YARA on Windows sandbox to detect malware using commands and to implement an evasion technique to bypass YARA rule detection. We’re still at Wareville for SOC-mas!
<ol>
<li>What is the flag displayed in the popup window after the EDR detects the malware? <code>THM{GlitchWasHere}</code> 
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1736598140700/0153af2e-4e27-4d6f-b2a1-8083bedcb639.png" alt class="image--center mx-auto" />
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1736598197352/e19b3b4d-7cc8-40e4-850a-fc310359d691.png" alt class="image--center mx-auto" />
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1736598276498/3c5c35fa-9ff5-4571-bd5b-83f5894c035d.png" alt class="image--center mx-auto" />
</li>
<li>What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor? <code>THM{HiddenClue}</code> 
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1736598340126/6e75624a-4c1e-4fdb-b06e-466ebb0c190c.png" alt class="image--center mx-auto" />
 <img src="https://cdn.hashnode.com/res/hashnode/image/upload/v1736598363298/980a6ad3-e3d7-41fe-8172-cdbc41acf044.png" alt class="image--center mx-auto" />
</li>
<li>If you want to more about sandboxes, have a look at the room <a target="_blank" href="https://tryhackme.com/r/room/flarevmarsenaloftools">FlareVM: Arsenal of Tools</a>.
</li>
</ol>
Thank you for reading this article. Please leave a comment with your thoughts, areas for improvement, other suggestions, and questions. Stay secure until the next one!

In this article, we’ll cover the Sandboxes - If I can't find a nice malware to use, I'm not going, write-up as the Day 6 challenge of the Advent of Cyber event challenge. It was interesting to use YARA on Windows sandbox to detect malware using commands and to implement an evasion technique to bypass YARA rule detection. We’re still at Wareville for SOC-mas!

1. What is the flag displayed in the popup window after the EDR detects the malware? `THM{GlitchWasHere}`  
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736598140700/0153af2e-4e27-4d6f-b2a1-8083bedcb639.png align="center")
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736598197352/e19b3b4d-7cc8-40e4-850a-fc310359d691.png align="center")
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736598276498/3c5c35fa-9ff5-4571-bd5b-83f5894c035d.png align="center")
    
2. What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor? `THM{HiddenClue}`  
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736598340126/6e75624a-4c1e-4fdb-b06e-466ebb0c190c.png align="center")
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1736598363298/980a6ad3-e3d7-41fe-8172-cdbc41acf044.png align="center")
    
3. If you want to more about sandboxes, have a look at the room [FlareVM: Arsenal of Tools](https://tryhackme.com/r/room/flarevmarsenaloftools).
    

Thank you for reading this article. Please leave a comment with your thoughts, areas for improvement, other suggestions, and questions. Stay secure until the next one!

The Advent of Cyber: Day 6: Sandboxes - If I can't find a nice malware to use, I'm not going (TryHackMe)