🚩
Anthony Morell's Gitbook
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
Capture The Flag
CertificationsCapture The FlagBug BountiesHome
  • 🖥️CTF Writeups
  • 🟦TryHackMe
    • THM Overview
      • Reverse Engineering
      • Game Server
      • Obscure Web Vulns
      • UltraTech
      • Linux Privilege Escalation
      • The Marketplace
      • RootMe
      • Agent Sudo
      • Startup
      • Lian_Yu
      • Advent of Cyber 2022
        • [Day 1] Frameworks
        • [Day 2] Log Analysis
        • [Day 3] OSINT
        • [Day 4] Scanning
        • [Day 5] Brute-Forcing
        • [Day 6] Email Analysis
        • [Day 7] CyberChef
        • [Day 8] Smart Contracts
        • [Day 9] Pivoting
        • [Day 10] Hack a game
        • [Day 11] Memory Forensics
        • [Day 12] Malware Analysis
        • [Day 13] Packet Analysis
        • [Day 14] Web Applications
        • [Day 15] Secure Coding
        • [Day 16] Secure Coding
        • [Day 17] Secure Coding
        • [Day 18] Sigma
        • [Day 19] Hardware Hacking
        • [Day 20] Firmware
        • [Day 21] MQTT
        • [Day 22] Attack Surface Reduction
        • [Day 23] Defence in Depth
        • [Day 24] The End
  • 🟫PentesterLab
    • PL Overview
      • Recon Badge
        • Badge Solutions
  • 🟩Hack The Box
    • HTB Overview
      • HTB Post
  • 🟧BurpSuite Academy
    • BSA Overview
      • GraphQL API vulnerabilities
        • Accessing private GraphQL posts
        • Accidental exposure of private GraphQL fields
        • Finding a hidden GraphQL endpoint
  • 🏁Competitions
    • Competition Overview
      • GM Bug Bounty Competition
Powered by GitBook
On this page
  1. TryHackMe
  2. THM Overview
  3. Advent of Cyber 2022

[Day 12] Malware Analysis

December 12, 2022

Today I studied static and dynamic malware analysis. As opposed to having automated sandbox tools do work, I needed to get more information with manual analysis.

Tools used

Detect It Easy

Capa

Flags

What is the architecture of the malware sample? (32-bit/64-bit)

64-bit

What is the packer used in the malware sample? (format: lowercase)

upx

What is the compiler used to build the malware sample? (format: lowercase)

nim

How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?

2

What is the registry key abused by the malware?

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

What is the value written on the registry key based on the previous question?

C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wishes.bat

What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)

test.jpg,wishes.bat

What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)

bestfestivalcompany.thm,virustotal.com

Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?

http://bestfestivalcompany.thm/favicon.ico

Previous[Day 11] Memory ForensicsNext[Day 13] Packet Analysis

Last updated 2 years ago

🟦
  • Flags
  • What is the architecture of the malware sample? (32-bit/64-bit)
  • What is the packer used in the malware sample? (format: lowercase)
  • What is the compiler used to build the malware sample? (format: lowercase)
  • How many MITRE ATT&CK techniques have been discovered attributed to the DISCOVERY tactic?
  • What is the registry key abused by the malware?
  • What is the value written on the registry key based on the previous question?
  • What are the names of two files created by the malware under the C:\Users\Administrator\ directory? (format: file1,file2 in alphabetical order)
  • What are the two domains wherein malware has initiated a network connection? (format: domain1,domain2 in alphabetical order)
  • Going back to strings inside the malware sample, what is the complete URL used to download the file hosted in the first domain accessed by the malware?