Aleyna
Lab link. Step into the shoes of a Cyber Threat Intelligence Analyst and put your investigation skills to the test. 1. Who shared the malware samples? Oliver Bennett 2. What is the SHA1 hash of the file “pRsm.dll” inside samples.zip? 9d1ecbbe8637fed0d89fca1af35ea821277ad2e8 3. Which malware framework utilizes these DLLs as add-on modules? Calculated the SHA1 hash …
Lab link. 1. What is a technique used by the APT to both perform recon and gain initial access? Spearphishing Link is a technique used by APT28 in both the Reconnaissance and Initial Access phases. This makes T1598.003 – Spearphishing Link a key technique that serves dual purposes in the attack lifecycle. Spearphishing link 2. …
Lab link. Questions 1. What is the first flag you receive after successfully detecting sample1.exe We start by clicking on the sample1.exe file and analyzing it using the Malware Sandbox tool to observe its behavior. Since we don’t have any IP address, domain, or external IOC at this point, we can block the malware using …
Lab link. Your local sticker shop has finally developed its own webpage. They do not have too much experience regarding web development, so they decided to develop and host everything on the same computer that they use for browsing the internet and looking at customer feedback. Smart move! Can you read the flag at http://MACHINE_IP:8080/flag.txt? …
Lab link. Questions 1. What is the flag? mosquitto_pub -h localhost -t “d2FyZXZpbGxl/Y2hyaXN0bWFzbGlnaHRz” -m “on”
Lab link. Questions 1. Crack the hash value stored in hash1.txt. What was the password? To crack a hash, the first step is to identify its type. For this, we use the hash-id tool. This tool analyzes the provided hash and suggests possible hash types, which helps us choose the correct cracking method. Based on the …
Lab link. Questions 1. What is the name of the webshell that was used by Mayor Malware? The Kubernetes cluster is started using Minikube. The output shows that the cluster has been successfully started and configured by default. We check the status of the pods running in the ‘wareville’ namespace. It may be necessary to …
Lab link. Questions 1. What is the function name that downloads and executes files in the WarevilleApp.exe? DownloadAndExecuteFile 2. Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary? explorer.exe 3. What domain name is the one from where the file is downloaded after running …
Lab link. Questions 1. What was the first message the payload sent to Mayor Malware’s C2? ip.src == 10.10.229.217 system prompt 2. What was the IP address of the C2 server? 10.10.123.224 3. What was the command sent by the C2 server to the target machine? whoami 4. What was the filename of the critical …
Lab link. Questions 1. What is the OTP flag? If we run the command frida-trace ./TryUnlockMe -i ‘libaocgame.so!*’, it will automatically start tracing all the functions. The penguin is requesting a PIN code, which is handled by the _Z7set_otpi function. The _Z7set_otpi function manages the OTP process. We open the file in Visual Studio Code …