Advent of Cyber 2022 [Day 12]-Malware Analysis Forensic McBlue to the REVscue! Write up
Advent of Cyber 2022 [Day 12] Malware Analysis | Forensic McBlue to the REVscue! | Task 16 Answers Write-up and Walkthrough By Karthikeyan Nagaraj
Task 16 —Malware Analysis Forensic McBlue to the REVscue!
Start the Machine and get into it
1. What is the architecture of the malware sample? (32-bit/64-bit)
Let’s Open the File with Detect It Easy
Detect It Easy, or abbreviated “DIE” is a program for determining types of files.
“DIE” is a cross-platform application, apart from Windows version there are also available versions for Linux and Mac OS.
Hence it is a 64-bit Architecture!!!
Ans: 64-bit2. What is the packer used in the malware sample? (format: lowercase)
Analyze the Image Above Image!
Ans: upx3. What is the compiler used to build the malware sample? (format: lowercase)
Let’s use capa to Analyse the file
capa detects capabilities in executable files. You run it against a PE, ELF, .NET module, or shellcode file and it tells you what it thinks the program can do. For example, it might suggest that the file is a backdoor, is capable of installing services, or relies on HTTP to communicate.
capa -vv mysterygift
Ans: nim4. How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?
Ans: 25. What is the registry key abused by the malware?
Here we want to open the Process Monitor at the Bottom of the Screen
Add the Process name as mysterygift.exe and click Add
Change the File Extension into exe
Now notice the Process Monitor
We Only need RegCreateKey include the Operation or you can Exclude Unnecessary packages Listed Below,
- RegOpenKey
- RegQueryValue
- RegQueryKey
- RegCloseKey
You may observe that only one Registry Key has both RegCreateKey and RegSetValue. This key is related to a persistence technique called Registry Run Key Modification and is commonly used by malware developers to install a backdoor.
Ans: HKCU\Software\Microsoft\Windows\CurrentVersion\Run6. What is the value written on the registry key based on the previous question?
Double click the Results we Found
Ans: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat7. What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)
Click on the Folder Filter at the top right in the Below Image,
Include only the CreateFile Operation
Ans: test.jpg, wishes.bat8. What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)
Add the Below Filter and Search for the Domain
Here we can see, the 2 Domains in Network Activity are
Ans: bestfestivalcompany.thm, virustotal.com9. Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?
Use the Below Command on CMD!
cd "Desktop\Malware Sample"
floss -n 6 mysterygift.exe | grep http://Or You can Use Detect It Easy to Find the Strings in the EXE
Ans: http://bestfestivalcompany.thm/favicon.icoThank you for Reading!!
Happy Hacking ~
Author : Karthikeyan Nagaraj ~ Cyberw1ngQueries:
THM , TryHackMe , TryHackMe Advent of Cyber 2022 , TryHackMe Advent of Cyber 4 Day 12, Ethical Hacking , Write up , Walk through , TryHackMe Advent of Cyber 2022 Day 12 Answers
