TryHackMe — Friday Overtime Challenge Walkthrough
A Cyber Threat Intelligence Challenge Using DocIntel, Virus Total, MITRE ATT&CK, CyberChef, and Google
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog searching for a comprehensive write-up of the Friday Overtime challenge from TryHackMe, you’re in the right place.
In this scenario, we’re stepping into the world of Cyber Threat Intelligence to analyze a malware sample submission that we received through the DocIntel threat intelligence platform. Our objective is to gather intelligence on this sample, identify what malware family it’s a part of, understand its functionality, and determine what external destinations it contacts. This information will help us create a detailed report for our fictional customer so that we can head into the weekend. To achieve this, we’ll explore resources like VirusTotal, MITRE ATT&CK, and external reports from Google to fully grasp the malware’s capabilities.
The real value of this challenge comes from the research process and becoming adept at collecting threat intelligence from existing reports. With that in mind, I won’t be revealing the answers to the questions in this writeup. Don’t let that deter you — the approach I took isn’t the only one. You’ve got this. Happy hunting!
And hey, if you find this walkthrough helpful — whether it levels-up your skills, gets you over a stumbling block, or serves as a handy reference — please give it a clap! Thanks for reading and going on this investigation with me!
Challenge Link: https://tryhackme.com/r/room/fridayovertime
Challenge Scenario:
Hello Busy Weekend. . .
It’s a Friday evening at PandaProbe Intelligence when a notification appears on your CTI platform. While most are already looking forward to the weekend, you realise you must pull overtime because SwiftSpend Finance has opened a new ticket, raising concerns about potential malware threats. The finance company, known for its meticulous security measures, stumbled upon something suspicious and wanted immediate expert analysis.
As the only remaining CTI Analyst on shift at PandaProbe Intelligence, you quickly took charge of the situation, realising the gravity of a potential breach at a financial institution. The ticket contained multiple file attachments, presumed to be malware samples.
With a deep breath, a focused mind, and the longing desire to go home, you began the process of:
Downloading the malware samples provided in the ticket, ensuring they were contained in a secure environment.
Running the samples through preliminary automated malware analysis tools to get a quick overview.
Deep diving into a manual analysis, understanding the malware’s behaviour, and identifying its communication patterns.
Correlating findings with global threat intelligence databases to identify known signatures or behaviours.
Compiling a comprehensive report with mitigation and recovery steps, ensuring SwiftSpend Finance could swiftly address potential threats.
Question 1: Who shared the malware samples?
First thing’s first, let’s login to the DocIntel portal using the credentials supplied in the challenge’s instructions. DocIntel is an open-source threat intelligence platform for information sharing where we’ll find the request ticket and download the included malware samples.
To answer Question 1, we’ll just need to open the ticket, read the request, and check the sign-off signature to find who sent it in.
Question 2: What is the SHA1 hash of the file “pRsm.dll” inside samples.zip?
Next, let’s download the attachment, samples.zip, from the files section on the right side of ticket and extract the files within the archive. To do this, we’ll need the password provided in the ticket details. Once the files are extracted, we can get the SHA1 hash of pRsm.dll directly from the terminal using the below command:
sha1sum /home/ericatracy/Downloads/pRsm.dll
Question 3: Which malware framework utilizes these DLLs as add-on modules?
Now that we have a file hash to work with, let’s pivot over to VirusTotal and check if this sample has been analyzed on the platform before and see what additional intelligence we can collect about it.
Fortunately for us, this sample has been seen before and there are a high number of hits. To answer Question 3, we’ll focus on the threat / family labels to find the answer.
Question 4: Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?
If you’re unfamiliar, MITRE ATT&CK is an expansive knowledge base that documents known adversary tactics, techniques, and procedures as observed in world-world attacks. Since Question 4 mentions MITRE ATT&CK, let’s navigate there and search for the family name we found in the last question to gather more information.
Since there are so many techniques listed on MITRE ATT&CK and in VirusTotal for the malware, we’ll need to pivot out to some external research to narrow it down. From the MITRE ATT&CK page, there are several reference links listed at the bottom.
Let’s select the second link from ESET to read more about the malware framework and pRsm.dll.
There’s a treasure trove of excellent research content in this blog but for Question 4, we’re most interested in the documented MITRE ATT&CK techniques where we’ll learn that pRsm.dll is used to capture audio streams and the corresponding technique ID.
Question 5: What is the CyberChef defanged URL of the malicious download location first seen on 2020–11–02?
Continuing with our review of the ESET report, we’ll also discover some additional details about the malware including the origin of the malicious download.
We’re halfway there! While the URL is already defanged within the report, the key detail is that we need to submit the URL after it’s been defanged with CyberChef specifically — Easy enough!
Let’s open CyberChef, input the URL from the ESET report, and apply the Defang URL option to the recipe to get our newly defanged output.
Question 6: What is the CyberChef defanged IP address of the C&C server first detected on 2020–09–14 using these modules?
We’ll approach Question 6 like we did the last one. We’ll find the malware’s command and control (C&C) server addresses listed in the ESET report’s IOC section under Network.
Pick the IP address that matches the date from the question and jump back over to CyberChef. It can be a little picky, but manually enter the raw IP address into the input box then apply Defang IP Address to the recipe.
Question 7: What is the SHA1 hash of the spyagent family spyware hosted on the same IP targeting Android devices on November 16, 2022?
Finally, we’re going to take what we’ve learned during our intelligence collection and expand our scope by searching for any other malware families hosted on the IP Address from Question 6.
Head back over to VirusTotal. Once we input the IP, navigate to the Relations > Communicating Files tab where we’ll find an Android type file communicating with this IP address.
While the date doesn’t match what the question is looking for, let’s click the entry anyway to see if we can find any leads. Looking at the family label, it matches the spyagent tag referenced in the question, so it seems that we’re on the right track.
Let’s try the SHA-1 hash from the Details tab to verify.
Fantastic! We’ve found the correct sample! Now that we’ve completed Question 7, let’s recap our findings and wrap up this investigation.
Conclusion:
There we have it — sample analyzed! During our investigation, we calculated the SHA1 hash value of a DLL within the sample. We then searched VirusTotal for this file hash, which helped us identify the malware family the DLL belongs to. Next, we pivoted to MITRE ATT&CK to understand the malware’s capabilities and searched for external references, where we discovered a detailed analysis from ESET. With the ESET report in hand, we identified indicators of compromise (IOCs), including the initial access download URL and the command and control IP addresses. All this information equips us with what we’ll need to create a comprehensive report for the requestor. Let’s wrap up this investigation and conclude our Friday Overtime.
A big thank you to TryHackMe for the engaging challenge. This was a really fun challenge because the scenario felt realistic and led me down a research rabbit hole. It was cool to learn about DocIntel and get a glimpse into the CTI world. I find it extremely rewarding to start with something as simple as a file hash and continue to unravel the mystery by adding more context through threat intelligence with each new piece of information. It never hurts to continuously practice your research skills and leverage any available reporting when collecting intelligence on a threat — this happens all the time in the field!
Thanks for the support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps keep me motivated to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
DocIntel: https://docintel.org/
VirusTotal: https://www.virustotal.com/
MITRE ATT&CK — MgBot (S1146): https://attack.mitre.org/software/S1146/
ESET WeLiveSecurity Blog — Evasive Panda APT group delivers malware via updates for popular Chinese software: https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/
CyberChef: https://gchq.github.io/
