MalwareTech

Menu

  • Home
  • Speaking
  • Labs
  • Discord
  • About Me
  • Contact
  • Home
  • Speaking
  • Labs
  • Discord
  • About Me
  • Contact
Home / Labs / Multistage / Multistage-1 /
Lab name:
multistage1
Lab Type:
Static Analysis
Languages:
PowerShell
JavaScript
x86_64
Platform:
Windows 64-bit
Difficulty:
Download:
https://malware.vip/multistage/1/
Password:
MalwareTechLabs

Looking for help or to connect with other cybersecurity enthusiasts?
Check out our official Discord Server: https://discord.gg/malwaretech
Please be sure to perform all analysis in a Virtual Machine . While these challenges are not real malware, some are designed to simulate malware and may trigger Antivirus detections. It's a good idea to get into the habit of not handling potentially malicious executables outside a VM.
This is a static analysis challenge, which means you won't need to run the executable or perform any debugging. All aspects of the task can be completed using a disassembler or decompiler.

Understanding Malware Attack Chains

As a malware analyst, you’ll often need to investigate how malware infects a computer from start to finish. Threat actors don’t typically tend to distribute the final stage malware payload directly. Instead, they break the attack into several steps, often referred to as a kill chain.

Here’s how a typical attack might work

For example, imagine someone receives a suspicious email with an attachment. When they open it, here’s what happens:

  1. The attachment is a zip file containing a JavaScript file
  2. When opened, this JavaScript file runs on the computer using a built-in framework known as WScript
  3. The JavaScript connect to an attacker-controlled url and downloads a malware loader
  4. The loader fetches and runs the malicious payload, often in memory

Why does this matter?

These attack chains can be fairly complex and may involve different programming languages at each step. Many threats download and run payloads in memory, avoiding saving malicious files to disk. This is key to reducing antivirus detections, as well as hindering analysis. Understanding different malware kill chains is an essential skill for malware analysts.

What you’ll be doing

In these challenges, you’ll work with example attack chains designed to mirror real world malware seen in the wild. Your goal is to trace each step of the chain until you reach the final payload, which contains a hidden flag. These exercises are more challenging than other labs, but they’ll give you hands-on experience with more realistic malware analysis.

Good luck, and have fun!

Once you accept the warning, you’ll be taken to a phishing page designed to lure users into running malicious commands. You’ll need to extract the malicious command from the web page, then reverse engineer it to find the next stage. In the final stage payload you’ll find the flag.

Recommended Environment

Host Machine: Anything with an x86_64 CPU (32-bit CPUs won’t work and ARM CPUs will require an emulator).
Virtual Machine: VMware or VirtualBox
Operating System: Windows 10 64-bit
Disassembler: Binary Ninja or Ghidra

Note: for Windows Labs the walkthrough videos will be done using Binary Ninja, with a 64-bit Windows 10 Virtual Machine running on VMWare Workstation Pro. You are free to choose your own software & hardware, just be aware that there will only be official support for the recommendations listed above, any custom setups are your own responsibility.

While Static Analysis Labs require you to reverse engineer the application without running it, doing so will result in the application displaying a messagebox with an MD5 hash of the flag.

Stay Informed

Subscribe to my newsletter or get notified of new posts.

Marcus Hutchins
Threat intelligence analyst, programmer, ex-hacker.

Featured Posts

Jun 3, 2026
ComoDoS - Exploiting a Remote Kernel Vulnerability in Comodo Internet Security
Oct 24, 2025
Passively Downloading Malware Payloads Via Image Caching
Aug 4, 2025
Every Reason Why I Hate AI and You Should Too
Mar 28, 2025
The US Needs A New Cybersecurity Strategy: More Offensive Cyber Operations Isn't It
Aug 27, 2024
CVE-2024-38063 - Remotely Exploiting The Kernel Via IPv6
Feb 13, 2024
Bypassing EDRs With EDR-Preloading
Dec 27, 2023
Silly EDR Bypasses and Where To Find Them
Dec 25, 2023
An Introduction to Bypassing User Mode EDR Hooks
Dec 31, 2020
How I Found My First Ever ZeroDay (In RDP)
Mar 19, 2018
Best Languages to Learn for Malware Analysis
May 13, 2017
How to Accidentally Stop a Global Cyber Attacks
Apr 13, 2015
Hard Disk Firmware Hacking (Part 1)

Explore Topics

Explainers
14
Malware
17
Windows Internals
12
Hacking
13
Vulnerability Research
11
News
10
Analysis
10
Malware Analysis
16
Programming
4
Threat Intelligence
13
Opinions
12
Stories
3
WannaCry
2
Videos
3
Artificial Intelligence
1
Technology
1
Offensive Security
2

Menu

  • Home
  • Speaking
  • Labs
  • Discord
  • About Me
  • Contact

Recent Posts

Jun 3, 2026
ComoDoS - Exploiting a Remote Kernel Vulnerability in Comodo Internet Security
Oct 24, 2025
Passively Downloading Malware Payloads Via Image Caching

Stay Informed

Subscribe to my newsletter or get notified of new posts.

2026 © MalwareTech