~$ Advent of Cyber 2022 - Day 7

Posted on Dec. 7th, 2022. | Est. reading time: 2 minutes

Blue Team: CyberChef

Question 1

What is the version of CyberChef found in the attached VM?

We look at the website header.

Screenshot of CyberChef

Answer: 9.49.0

Question 2

How many recipes were used to extract URLs from the malicious doc?

There are 10 steps.

Screenshot of the tab title.That's a lotta steps.

Answer: 10

Question 3

We found a URL that was downloading a suspicious file; what is the name of that malware?

Once more, we look at the From: header.

Screenshot of CyberChef showing a few extracted headers.Well that's certainly interesting.

Answer: mysterygift.exe

Question 4

What is the last defanged URL of the bandityeti domain found in the last step?

Answer: hxxps[://]cdn[.]bandityeti[.]THM/files/index/

Question 5

What is hidden in the value of the Message-ID field?

What is the ticket found in one of the domains? (Format: Domain/<GOLDEN_FLAG>)