# Day 6

*Mayor Malware was scheming, quite full of delight, To ruin SOC-mas and frighten SOC teams. But Glitch and McSkidy had spoiled his plan, By uncovering secrets that exposed the man!*

#### Task 12 — Sandboxes Day 6: If I can't find a nice malware to use, I'm not going. <a href="#id-3ea1" id="id-3ea1"></a>

> Make sure to study the Guides and Instructions and Understand the Concepts

**1. What is the flag displayed in the popup window after the EDR detects the malware?**

1. Open up a PowerShell window, navigate to the `C:\Tools` directory, and use the following command to start up the EDR: `.\JingleBells.ps1`
2. Now run the malware by navigating to `C:\Tools\Malware`, and double-clicking on `MerryChristmas.exe`.
3. If our custom script did its job, you should have witnessed a popup by our EDR with a flag included, as shown below. This will be the answer to Question 1 below. You can now exit the custom EDR by pressing `Ctrl+C`.

```css
CopyAns: THM{GlictchWasHere}
```

**2. What is the flag found in the malstrings.txt document after running floss.exe, and opening the file in a text editor?**

1. Cd into FLOSS Directory and type the follwoing command, `floss.exe C:\Tools\Malware\MerryChristmas.exe |Out-file C:\tools\malstrings.txt`
2. Once the command is done, open `malstrings.txt`, press `CTRL+F`, and search for the string Mayor Malware. Enter the flag as the answer to question two. The format of the string is `THM{}`.

```css
CopyAns: THM{HiddenClue}
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://foothold.gitbook.io/blog/advent-of-cyber-2024/day-6.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.