Try Hack Me Write Up

First Shift CTF

Medium - approx. 240 min

Task 1 - Intro and Rules

This was a single-player CTF event. I missed it and will go through it today as a quick warmup of classic SOC investigations.

Start the Attacker machine!

Task 2 - Meet ProbablyFine

image

Task 3 - Probably Just Fine

The shift begins! An Alert titled “Unusual VPN login of susan.martin@probablyfine.thm from 37.19.201.132 (Singapore).” needs to be resolved.

  • The SOC handover notes did indeed mention that Susan from Marketing is in Singapore, attending a security vendor conference. It is probably just fine, but the SOC procedure tells us to verify each IP in our threat intel platform TryDetectThis. Answer the first two questions to gather more information and determine the threat level.
  • Your teammates reached out to Susan, and she confirmed she did not log in to the company VPN. She also mentioned that while using a public Wi-Fi hotspot at a cafe, she was suddenly prompted to install a “security check” tool, which she did. The host telemetry reveals a suspicious binary with the hash b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630. Can you help us figure out what this binary exactly does and answer the remaining questions?

Lets go!

Connect to the attacker machine and open the link to the Threat Intel (TI) plattform TryDetectThis webbrowser and search for the IP 37.19.201.132.

What is the ASN number related to the IP?

  • You can find the ASN Number in the second widget in the first row. An Autonomous System Number (ASN) is a unique ID for a group of IP networks managed by one organization.

Which service is offered from this IP?

  • The second widget in the third row, File Relations, contains information about the binaries connecting to the IP and these refer to virtual private networks applications, like vpn-proxy-2-0-2.apk.
image

What is the filename of the file related to the hash?

  • Open a second tab with TryDetectThis and search for the SHA-256 Hash b8e02f2bc0ffb42e8cf28e37a26d8d825f639079bf6d948f8debab6440ee5630. You will find the filename in the second widget in the first row.

What is the threat signature that Microsoft assigned to the file?

  • Antivirus Vendors had the great idea to never find a real common ground to name signatures. Anyways. Under Vendor Analysis you can find the vendors and there is also one row for Microsoft.

One of the contacted domains is part of a large malicious infrastructure cluster. Based on its HTTPS certificate, how many domains are linked to the same campaign?

image
  • Search for gadgethgfub.icu. You can expand the entry underneath HTTPS Certificate Data -> Latest HTTPS Certificate. If you count the Subject Alternative Name (SAN) entries you will get the answer. A Subject Alternative Name (SAN) is a feature in SSL certificates that enables the inclusion of multiple domain names or IP addresses, allowing one certificate to secure several sites.

The file matches one of the YARA rules made by “kevoreilly”. What line is present in the rule’s “condition” field?

  • In the Detections and Reports Widget you will find the Yara Rule which matched. It also contains the link to the github page.

The file is also mentioned in one of the TI reports. What is the title of the report mentioning this hash?

  • Behind the Curtain: How Lumma Affiliates Operate

Which team did the author of the malware start collaborating with in early 2024?

  • GhostSocks

A Mexican-based affiliate related to the malware family also uses other infostealers. Which mentioned infostealer targets Android systems?

  • CraxsRAT

The report states that the affiliates behind the malware use the services of AnonRDP. Which MITRE ATT&CK sub-technique does this align with?