This is a blue team challenge where we need to create defensive countermeasures for various malware samples. This will be achieved by using file hashes, IP addresses, firewall rules, DNS and sigma rules.

  • Platform: TryHackMe
  • Link: Summit
  • Level: Easy

What is the first flag you receive after successfully detecting sample1.exe?

After navigating to the link provided, go to Malware Snadbox, the file sample1.exe is already loaded and click on Submit for Analysis.

Malware Sandbox

Submit for analysis button

After the analysis is completed, we get three hash values.

Sample1 analysis results

Back to the drop down menu, there is a Manage Hashes section, copy one of the hashes, check the correct Hash Algorithm box and submit it.

Detect Hashes

You will get some results and an email (check the Mail section in the drop down menu) with the first flag.

Hash Blocklist

First flag

What is the second flag you receive after successfully detecting sample2.exe?

Using the same process we analyze sample2.exe. The report tells us that this file tries to send an HTTP request to IP address 154.35.10.113:4444.

If we try to get the flag via hash submission we are told that it requires another method.

Sample2 analysis results

Let’s create a rule in the Firewall Rule Manager section.

Firewall rule manager

After saving that rule we get flag 2 in our mail.

Second flag

What is the third flag you receive after successfully detecting sample3.exe?

After analyzing sample3.exe, we notice some HTTP requests to IP 62.123.140.9 and DNS requests to emudyn.bresonicz.info with the same IP address.

Sample3 analysis results

We head to the DNS Filter section and create a DNS rule for that domain which gets us the third flag.

DNS Rule Manager

Third flag

What is the fourth flag you receive after successfully detecting sample4.exe?

From the previous email, we know that blocking hashes, IPs, or domain will not solve our problem. We need to look deeper.

The analysis report of sample4.exe shows some registry activity.

sample4 analysis results

We will use the Sigma Rule Builder for this case. For Step 1 we choose Sysmon Event Logs and for Step 2 we pick Registry Modifications. In Step 3 we enter the values from the report.

If you google att&ck DisableRealtimeMonitoring ID you will see that its ID is T1562.002 which falls under Defense Evasion with ID TA0005.

Registry KeyHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection
Registry NameDisableRealtimeMonitoring
Value1
ATT&CK IDDefense Evasion (TA0005)

Sigma rule for sample4

After validating the rule we get flag 4 in our inbox.

Fourth flag

What is the fifth flag you receive after successfully detecting sample5.exe?

This time we have to focus on the logs to determine our countermeasure.

Log file for sample5

After paying close attention we notice some recurring traffic on the same port at regular intervals. Every 30 minutes there is some outgoing traffic of 97 bytes to IP 51.102.10.19. In the Sigma Rule Builder go to Sysmon Event Logs -> Network connections.

Because the threat actor can now change the artifacts we cannot rely of IP addresses, protocols, or port numbers. Also given the fact that the traffic occurs every 30 minutes we can assume that it uses an automated process probably via a C2 framework.

Using the values in the picture below we get the fifth flag.

Sigma rule C2 server

Fifth flag

What is the final flag you receive from Sphinx?

We now need to make use of a commands log file.

commands log file

First we need to understand what those commands are doing. The commands suggest that the malware is performing reconnaissance and collecting information about the system, network, and user accounts. The output is stored in a log file (exfiltr8.log) in the temporary directory (%temp%), likely with the intention of exfiltrating this data to an external attacker.

The log file shows us that the temporary directory %temp% is always used in conjunction with a file named exfiltr8.log. So we should focus on that with our countermeasure.

Go to Sigma Rule Builder -> Sysmon Event Logs -> FIle Creation and Modification and use the options depicted below.

Sigma rule data exfiltration malware

We then get the final flag.

Final flag