Refer to Friday Overtime for the challenge room on TryHackMe
Scenario
On a Friday evening at PandaProbe Intelligence, a notification on the CTI platform indicates a new ticket from SwiftSpend Finance, raising concerns about potential malware threats. Despite it being the weekend, immediate attention is required due to the seriousness of the situation.
Click Friday Overtime to begin this challenge.
Task
As the only CTI Analyst on duty, we took several crucial actions to address the malware threat. We began by securely downloading the malware samples from the ticket and conducted a preliminary analysis using automated tools for an initial assessment. Following this, we performed a detailed manual review to understand the malware's behavior and communication patterns. We then correlated our findings with global threat intelligence databases to identify any known signatures. Finally, we compiled a comprehensive report with mitigation and recovery recommendations for SwiftSpend Finance.
Once the virtual machine has finished booting up, the web page will automatically open. If you see a "Connection Refused" message, please wait a few more minutes for the backend processes to complete.
Who shared the malware samples?
After logging in with the provided credentials, we will see an email titled "Urgent: Malicious Malware Artifacts Detected." Once we read through the email, we can find the sender at the bottom.
What is the SHA1 hash of the file "pRsm.dll" inside samples.zip?
In the same email, there is a malware sample file named samples.zip. To access the file pRsm[.]dll inside samples.zip, use the unzip command to extract its contents.
Note: This file is password-protected with the password (Panda321!), which is provided in the email.
Next, run the sha1sum command on the pRsm[.]dll file to obtain its hash value.
Which malware framework utilizes these DLLs as add-on modules?
To gather more information about the malware associated with these DLLs, we can paste the hash value of pRsm[.]dll into VirusTotal. In the community tab, we will find a report mentioning this DLL.
According to the article APT Actor Targets Telecoms Company in Africa, DLLs are used by the malware framework for various purposes.
Cbmrpa[.]dll: Screen and clipboard grabber
pRsm[.]dll: Audio capture
mailfpassword[.]dll: Outlook and Foxmail credentials stealer
qmsdp[.]dll: QQ messages infostealer.
Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?
As mentioned earlier, pRsm[.]dll is used for audio capture. To explore its association with MITRE ATT&CK, we can search for either "pRsm[.]dll" or "audio capture" within the MITRE ATT&CK framework. We found a technique specifically named "Audio Capture" in the framework.
What is the defanged URL of the malicious download location first seen on 2020-11-02?
I found another article titled Evasive Panda APT Group Delivers Malware via Updates for Popular Chinese Software under the Community tab on VirusTotal, which discusses this malware. In the Technical Analysis section, we will find details about the URL from which the download originated.
Once we have the hosting address, simply input it into CyberChef to generate the defanged URL.
What is the CyberChef defanged IP address of the C&C server first detected on 2020-09-14 using these modules?
Within the same article In the Network section, the article provides the IP address of the C2 server that the malware contacts from the affected machine.
What is the SHA1 hash of the spyagent family spyware hosted on the same IP targeting Android devices on November 16, 2022?
After searching for the C2 server’s IP address on VirusTotal, navigate to the Relations tab. In the Communicating Files section, we will find a malicious file categorized as an Android file type.
After clicking on the filename, we will be directed to another page containing detailed information about this malicious file. The SHA-1 hash value can be found under the Details tab.
