Snake Eater: A Malware Analysis Challenge
Snake Eater provided an executable file with the comment
“I’ve never seen an executable file that looks like this. Can you check it out
and see what it’s doing”. The comment is the hint to finding the flag. This
challenge requires a Virtual Machine, as the executable is based on live
malware and Defender may delete it or prevent it from running.
First, we’ll need to get our hands on Sysinternals tools.
These can be downloaded from Microsoft. After getting all of the Sysinternals
tools, we need to go back to our hint. The line “Can you check it out and see
what it’s doing” is a hint that we need to run the malware and see what changes
it’s enacting on the system. One way to do this is to use Process Monitor from
Sysinternals. We can run the Process Monitor executable and start capturing
with no filters enabled.
Then, we can execute the snake_eater.exe file and wait for
it to close. After it closes, we can stop the Process Monitor capture and
create a display filter for processes whose name contains “snake” or
After filtering the display, we can search for the word “flag” and the flag will appear.