THM: Friday Overtime

For this blue team challenge we need to conduct an investigation and provide answers to some questions.

After launching the provided VM we login with the credentials ericatracy:Intel321!.

Who shared the malware samples?

Right after logging in we find a document titled Urgent: Malicious Malware Artefacts Detected.

Click on Documents then on View All.

View all documents

After selecting Urgent: Malicious Malware Artefacts Detected document, scroll down and you will find samples.zip on the right side.

malware file

We extract it, the password is Panda321!.

malware file extraction

We then compute the hash of pRsm.dll.

sha1sum pRsm.dll

sha1 hash

Answer: 9d1ecbbe8637fed0d89fca1af35ea821277ad2e8

We compute the sha256 hash for the pRsm.dll file and search for it on VirusTotal.

2c0cfe2f4f1e7539b4700e1205411ec084cbc574f9e4710ecd4733fbf0f8a7dc

sha256 hash

We discover the family labels attached to this file.

VirusTotal family label

Answer: MgBot

We research MITRE ATT&CK Technique pRsm.dll and find this article .

pRsm.dll MITRE ATT&CK Technique

Searching for pRsm.dll on the page we find the technique ID to be T1123 .

Technique ID

Answer: T1123

On the same page we find an url http://update.browser.qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296.exe.

url provided

On cyberchef.org we use the defang URL recipe to get the correct URL.

defanged url

Answer: hxxp[://]update[.]browser[.]qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296[.]exe

Using the same article, under the Network section we find an IP address for the specified date.

IP address

Defanged IP address

With cyberchef we get the defanged IP address with the Defang IP addresses recipe.

Answer: 122[.]10[.]90[.]12

On VirusTotal we search for 122.10.90.12 and go to the Relations section.

Communicated files

We then search for 951F41930489A8BFE963FCED5D8DFD79 and under Details we find the SHA1 hash.

sha1 android file hash

Answer: 1c1fe906e822012f6235fcc53f601d006d15d7be