THM AOC2024 DAY 21: Cracking the Binary Code
Every December, TryHackMe's Advent of Cyber delivers 24 free daily cybersecurity challenges, offering hands-on scenarios that simulate real-world attacks and defenses. Designed for beginners and professionals alike, it's an exciting, gamified way to explore topics like threat hunting, penetration testing, cryptography, and more. This event is perfect for building skills, gaining practical experience, and spreading some cybersecurity cheer during the festive season!
Learning Objectives
- Understand the structure of a binary file.
- Learn the differences between disassembly and decompiling.
- Gain familiarity with multi-stage binaries.
- Practically reverse-engineer a multi-stage binary.
Tools Overview
- PEStudio: A static analysis tool to investigate executables for potential malicious behavior. It helps identify file hashes, sections, and suspicious indicators.
- ILSpy: A decompiler used to convert binary code back into human-readable high-level language, allowing for efficient analysis of .NET binaries.
- Reverse Engineering: A critical methodology for breaking down applications to uncover their structure, behavior, and potential vulnerabilities.
Task Walkthrough
Overview
Today's task revolves around reverse engineering a multi-stage binary named WarevilleApp.exe. By analyzing its behavior, you will uncover its hidden functionalities and determine its role in an attack chain.
Steps
Task 1: Initial Analysis with PEStudio
- Open PEStudio and load
WarevilleApp.exe. - Review the general information, including the file's architecture and the PE sections.
- Identify any URLs, IPs, or suspicious attributes in the Indicators tab.
Task 2: Decompilation with ILSpy
- Launch ILSpy and load the binary.
- Expand the binary tree to locate the Main function.
- Analyze the decompiled code to understand its flow. Look for:
- Any network activity.
- Functions that perform file downloads or execution.
Task 3: Execute in a Sandbox
- Run the binary in the sandbox environment provided.
- Observe its behavior, particularly:
- File downloads to specific directories.
- Automatic execution of downloaded binaries.
Task 4: Analyze Stage 2 Binary
- Using the information uncovered, analyze the secondary binary.
- Identify its role in exfiltration or communication with a Command and Control (C2) server.
Questions and Solutions
- What is the function name that downloads and executes files in the WarevilleApp.exe?
- Answer:
DownloadAndExecuteFile
- Answer:
- Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?
- Answer:
explorer.exe
- Answer:
- What domain name is the one from where the file is downloaded after running WarevilleApp.exe?
- Answer:
mayorc2.thm
- Answer:
- The stage 2 binary is executed automatically and creates a zip file comprising the victim's computer data; what is the name of the zip file?
- Answer:
CollectedFiles.zip
- Answer:
- What is the name of the C2 server where the stage 2 binary tries to upload files?
- Answer:
anonymousc2.thm
- Answer:
Recap of Learning Objectives
1. Understand the structure of a binary file.
By exploring the Portable Executable (PE) structure, you learned to differentiate sections like .text for executable code and .data for variables and other resources. This knowledge is crucial for analyzing file integrity and behavior.
2. Learn the differences between disassembly and decompiling.
Disassembly provides machine-level instructions, offering precise insights into binary behavior. Decompiling translates binaries into a high-level language, enabling quick understanding but potentially losing critical details.
3. Gain familiarity with multi-stage binaries.
You discovered how attackers use lightweight droppers to deliver malicious payloads in stages. This approach evades detection and complicates forensic analysis.
4. Practically reverse-engineer a multi-stage binary.
Through PEStudio and ILSpy, you dissected a binary to uncover its functionalities, including downloading and executing payloads, and identified its connections to a C2 server.
