![[7aed9affa7be03210964a9355a3a5fe3.png]] # TryHackMe CTI Challenge ### Overview This is a CTI (Cyber Threat Intelligence) focused TryHackMe challenge where we will be filling the shoes of an CTI analyst working for PandaProbe Intelligence. A client, SwiftSpend Finance, has opened up a ticket requesting our expert analysis, and as we begin to investigate the activity, we realize that we are dealing with what appears to be a potential breach. It is Friday afternoon, and we are just getting back to our desk from a quick restroom break and a snack. We log into our workstation and subsequently into the company's CTI platform only to be met with a notification from the SwitftSpend Finance Cybersecurity Division detailing what they suspect to be a possible breach of their organization. ### Room ![[Screenshot 2024-11-12 153734.png]] **Who shared the malware samples?** ![[Screenshot 2024-11-12 153932.png]] As we can see from the initial email from SwiftSpend Finance, the notification along with the samples provided in a ZIP file came from `Oliver Bennet` in the Cybersecurity Division. **What is the SHA1 hash of the file "pRsm.dll" inside samples.zip?** ![[Screenshot 2024-11-12 154513.png]] Let's download the sample.zip archive provided to us by Oliver to our Desktop and extract it using the password provided in the email. Once we extract it, let's open up a terminal in the folder containing the files and run a *sha1sum* command on the pRsm.dll file to get the SHA1 hash. **Which malware framework utilizes these DLLs as add-on modules?** Now let's do a bit of OSINT and see if we can find any publicly available threat intelligence associated with these filenames. Just doing a Google search for a specific filename I.E. *intext:prsm.dll* we will be greeted with multiple articles referencing a few different threat actors, however we will go with the first result from **welivesecurity** and see what we can find inside. https://www.welivesecurity.com/2023/04/26/evasive-panda-apt-group-malware-updates-popular-chinese-software/ ![[Screenshot 2024-11-12 155031.png]] The article is reporting on a newly uncovered campaign by an APT group known as [Evasive Panda](https://malpedia.caad.fkie.fraunhofer.de/actor/evasive_panda), which is known APT group operating on behalf of the People's Republic of China. The article references a specific backdoor known as `mgbot` which is described by the author as their flagship backdoor, which happens to be part of a larger custom malware framework developed by Evasive Panda. **Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?** Reading through the report, we come across a section which lists all of the different MgBot plugins, some of which were included in the samples.zip archive that was emailed to us from SwiftSpend Finance. ![[Screenshot 2024-11-12 155543.png]] The report provides a description of the purpose of each plugin. For the *pRsm.dll* plugin, it appears that it's purpose was to capture input and output audio streams. Let's see if we can find a MITRE Technique associated with this behavior. ![[Screenshot 2024-11-12 155801.png]] A quick search for this technique within the MITRE ATT&CK Framework returns us with MITRE Technique `ID: T1123` Audio Capture. This technique falls under the MITRE Enterprise Tactic of *Collection*. **What is the CyberChef defanged URL of the malicious download location first seen on 2020-11-02?** Going back to the **welivesecurity** report, let's look through some of the IOCs and see if we can't find anything that was first seen in 2020. We come across what appears to be a URL for a malicious mgbot download location. Let's copy that and make a quick visit to [CyberChef](https://gchq.github.io/CyberChef/) to get a properly defanged URL. ![[Screenshot 2024-11-12 161207.png]] Now let's drop that URL into CyberChef and select the *Defang URL* operation to get a neat and tidy defanged URL. ![[Screenshot 2024-11-12 161448.png]] With that, we now have a properly defanged URL for the malicious download location that was first seen on 2020-11-02. **What is the CyberChef defanged IP address of the C&C server first detected on 2020-09-14 using these modules?** Let's do the exact same thing for that C2 IP address discovered on 2020-09-14. Once you get the properly defanged IP from CyberChef, drop that into the answer box and let's finish up this investigation. **What is the SHA1 hash of the spyagent family spyware hosted on the same IP targeting Android devices on November 16, 2022?** Now, there are a variety of different tools that we could use to find this information however let's go with ol' reliable and check VirusTotal to see if we can find any historical information on this IP address and any hosted or communicating files associated with it. ![[Screenshot 2024-11-12 164120.png]] Looking at the communicating files, we see one of them is an Android APK file, **951f41930489a8bfe963fced5d8dfd79.virus** - This will be the one that will we take a closer look at. ![[Screenshot 2024-11-12 164527.png]] Immediately at the top we can see that the "Popular threat label" is **trojan.spyagent/fjhv** which is an identifier for the spyagent malware family. This has to be the one. Let's copy the SHA1 hash and drop it into the final answer box. BINGO! Looks like that was the one, this investigation can officially be concluded...for now. Enjoy the long weekend and pray that you don't come into work on Monday with a full inbox of emails from SwiftSpend about some other issue. We will see ya next time!