~$ Advent of Cyber 2022 - Day 12
Question 1
What is the architecture of the malware sample? (32-bit/64-bit)
We look at the architecture section in DIE.
The naming on this one tool is... creative.Answer: 64-bit
Question 2
What is the packer used in the malware sample? (format: lowercase)
The packer is written in the DIE scan results.
Answer: upx
Question 3
What is the compiler used to build the malware sample? (format: lowercase)
After decompiling the sample with upx -d mysterygift we can process it with capa mysterygift and find the compiler name.
Answer: nim
Question 4
How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?
In the ATT&CK Tactic section we can see two Techniques.
Answer: 2
Question 5
What is the registry key abused by the malware?
We check for one of the first RegCloseKey operations in ProcMon.
Who's that Proc(é)MonAnswer: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Question 6
What is the value written on the registry key based on the previous question?
We check for the next RegSetValue operation in ProcMon.
Oh we looove Roaming files.Answer: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat
Question 7
What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)
We find CreateFile operations in ProcMon.
Ah yes... "wishes"Answer: test.jpg,wishes.bat
Question 8
What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)
We look for the two TCP Connect operations in ProcMon.
At this point, what "can't" ProcMon do?Answer: bestfestivalcompany.thm,virustotal.com
Question 9
Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?
In DIE we filter on http strings and find the correct string:
Oh, we're using DIE again...Answer: http://bestfestivalcompany.thm/favicon.ico