Skip to content

THM - Advent of Cyber 2022 - Day 12


Difficulty: ⭐⭐
Challenge Link
OS: Linux

The malicious document attached to the phishing email was confirmed to have been executed. Aside from the fact that rogue connections were observed, we know little about what it does.

Our in-house expert Forensic McBlue confirmed that the malicious document spawned another suspicious binary. Pivoting from that, he dumped it from memory for this task to be further analysed via Malware Analysis.

Learning Objectives

  • Learn the fundamentals of analysing malware samples without relying on automated sandbox scanners.
  • Learn and understand typical malware behaviour and its importance in the incident investigation pipeline.

What is the architecture of the malware sample? (32-bit/64-bit)

We can load up the file from $Desktop/Malware Sample by right clicking it and using detect it easy
We can see in the below photo the different signs of the type of architecture.

Answer

64-bit

What is the packer used in the malware sample? (format: lowercase)

We can see in the previous picture the packer on the bottom.

Answer

upx

What is the compiler used to build the malware sample? (format: lowercase)

We can use the below command to unpack and then scan using capa. 

upx -d mysterygift
capa mysterygift

Answer

nim

How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?

We can see from the previous command that it even tells us what MITRE ATT&CK techniques this is mapped too.

Answer

2

What is the registry key abused by the malware?

We can scroll up a little in the module and use the steps shown to trigger ProcMon to show the registry keys.

Answer

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

What is the value written on the registry key based on the previous question?

Click on the item above to see the Data for that key.

Answer

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat

What are the names of two files created by the malware under the C:\Users\Administrator directory? (format: file1,file2 in alphabetical order)

Select the mysterygift.exe and right-click then Exlcude CreateFileMapping

Answer

test.jpg,wishes.bat

What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)

Similar to past few you can investigate and see the TCP Connect operations to grab the domains it visits.

Answer

bestfestivalcompany.thm,virustotal.com

Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?

Answer

http://bestfestivalcompany.thm/favicon.ico