Tryhackme
Advent of Cyber 2024 — Day 21: HELP ME…I’m REVERSE ENGINEERING!
Reverse engineer the binary files to understand their structure, flow, and any malicious actions.
3 min read1 day ago
Learning Objectives:
- Understand the structure of a binary file, focusing on PE (Portable Executable) format.
- Differentiate between disassembly and decompiling for reverse engineering.
- Analyze a multi-stage binary to determine its actions and malicious intent.
Steps Performed:
1. File Identification:
- Located
WarevilleApp.exeinC:\Users\Administrator\Desktop\. - Verified the file properties, noting it was a Windows
.exefile, compiled using the .NET framework (C#).
2. Static Analysis with PEStudio:
General Information:
- SHA-256 Hash: Used to identify the file uniquely.
- Architecture: x64 executable.
- Indicators: Detected suspicious URLs and function names.
Strings Analysis:
- Found key artifacts such as URLs and suspicious function names, helping identify the executable’s behavior.
3. Dynamic Analysis with ILSpy:
- Decompiled
WarevilleApp.exeto view its high-level code. - Located the main function and its components:
- Identified a function named
DownloadAndExecuteFile. - This function downloads a binary and executes it using
WebClientandProcess.Start().
Analysis of WarevilleApp.exe:
Stage 1 (Dropper):
- Downloads a second binary (
explorer.exe) to theDownloadsfolder from the domainmayorc2.thm. - Executes the downloaded binary automatically.
Stage 2 (Payload):
explorer.execreates a zip file namedCollectedFiles.zip, containing victim system data.- Attempts to upload the zip file to a Command and Control (C2) server at
anonymousc2.thm.
Tasks:
- What is the function name that downloads and executes files in the WarevilleApp.exe?
DownloadAndExecuteFile
- What is the name of the binary downloaded by WarevilleApp.exe?
explorer.exe
2. What domain name hosts the file downloaded by WarevilleApp.exe? mayorc2.thm
3. What is the name of the zip file created by the stage 2 binary? CollectedFiles.zip
4. What is the name of the C2 server where the stage 2 binary uploads files? anonymousc2.thm
Key Takeaways:
- Reverse engineering helps uncover malicious binary behavior, such as multi-stage attacks.
- Tools like PEStudio and ILSpy provide valuable static and dynamic analysis.
- Identifying key functions and observing the binary’s flow can aid in incident response and attribution.
