~$ Advent of Cyber 2022 - Day 12

Posted on Dec. 12th, 2022. | Est. reading time: 2 minutes

Blue Team: Malware Analysis

Question 1

What is the architecture of the malware sample? (32-bit/64-bit)

We look at the architecture section in DIE.

Screenshot of DIE (Detect It Easy)The naming on this one tool is... creative.

Answer: 64-bit

Question 2

What is the packer used in the malware sample? (format: lowercase)

The packer is written in the DIE scan results.

Answer: upx

Question 3

What is the compiler used to build the malware sample? (format: lowercase)

After decompiling the sample with upx -d mysterygift we can process it with capa mysterygift and find the compiler name.

Screenshot of the 'upx' command output.

Answer: nim

Question 4

How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?

In the ATT&CK Tactic section we can see two Techniques.

Answer: 2

Question 5

What is the registry key abused by the malware?

We check for one of the first RegCloseKey operations in ProcMon.

Screenshot of ProcMonWho's that Proc(é)Mon

Answer: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Question 6

What is the value written on the registry key based on the previous question?

We check for the next RegSetValue operation in ProcMon.

Screenshot of ProcMonOh we looove Roaming files.

Answer: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat

Question 7

What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)

We find CreateFile operations in ProcMon.

Screenshot of ProcMonAh yes... "wishes"

Answer: test.jpg,wishes.bat

Question 8

What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)

We look for the two TCP Connect operations in ProcMon.

Screenshot of ProcMonAt this point, what "can't" ProcMon do?

Answer: bestfestivalcompany.thm,virustotal.com

Question 9

Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?

In DIE we filter on http strings and find the correct string:

Screenshot of DIE (Detect It Easy)Oh, we're using DIE again...

Answer: http://bestfestivalcompany.thm/favicon.ico