Link: Advent Of Cyber 4 on TryHackMe
What is the architecture of the malware sample? (32-bit/64-bit)
We look at the architecture section in DIE.
Answer: 64-bit
What is the packer used in the malware sample? (format: lowercase)
The packer is written in the DIE scan results.
Answer: upx
What is the compiler used to build the malware sample? (format: lowercase)
After decompiling the sample with upx -d mysterygift
we can process it with capa mysterygift
and find the compiler name.
Answer: nim
How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?
In the ATT&CK Tactic section we can see two Techniques.
Answer: 2
What is the registry key abused by the malware?
We check for one of the first RegCloseKey
operations in ProcMon.
Answer: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
What is the value written on the registry key based on the previous question?
We check for the next RegSetValue
operation in ProcMon.
Answer: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)
We find CreateFile
operations in ProcMon.
Answer: test.jpg,wishes.bat
What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)
We look for the two TCP Connect
operations in ProcMon.
Answer: bestfestivalcompany.thm,virustotal.com
Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?
In DIE we filter on http
strings and find the correct string:
Answer: http://bestfestivalcompany.thm/favicon.ico