Disclaimer

Please note: The artefacts used in this scenario were retrieved from a real-world cyber-attack. Hence, it is advised that interaction with the artefacts be done only inside the attached VM, as it is an isolated environment.

Hello Busy Weekend. . .

It's a Friday evening at PandaProbe Intelligence when a notification appears on your CTI platform. While most are already looking forward to the weekend, you realize you must pull overtime because SwiftSpend Finance has opened a new ticket, raising concerns about potential malware threats. The finance company, known for its meticulous security measures, stumbled upon something suspicious and wanted immediate expert analysis.

As the only remaining CTI Analyst on shift at PandaProbe Intelligence, you quickly took charge of the situation, realizing the gravity of a potential breach at a financial institution. The ticket contained multiple file attachments, presumed to be malware samples.

With a deep breath, a focused mind, and the longing desire to go home, you began the process of:

1. Downloading the malware samples provided in the ticket, ensuring they were contained in a secure environment.
2. Running the samples through preliminary automated malware analysis tools to get a quick overview.
3. Deep diving into a manual analysis, understanding the malware's behavior, and identifying its communication patterns.
4. Correlating findings with global threat intelligence databases to identify known signatures or behaviors.
5. Compiling a comprehensive report with mitigation and recovery steps, ensuring SwiftSpend Finance could swiftly address potential threats.

---

Questions

Q1 - Who shared the malware samples?

A: Reading through the letter, in the valediction it is signed: Oliver Bennett

---

Q2 - What is the SHA1 hash of the file "pRsm.dll" inside samples.zip?

A: Clicking on the "Urgent: Malicious Malware Artefacts Detected", will bring you to a more detailed page providing registration information and a file attachment containing the malware samples.

After extracting the files from the zip (Password: Panda321!), we now have access to malicious files.

I then use the sha1sum pRsm.dll command in terminal to get the SHA1 hash of the file. (9d1ecbbe8637fed0d89fca1af35ea821277ad2e8)

---

Q3 - Which malware framework utilizes these DLLs as add-on modules?

A: We can obtain the answer for this question by searching the hash on VirusTotal. (MgBot)

---

Q4 - Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?

A: This answer can be obtained by searching for the SHA1 hash, and reading through this research report "Evasive Panda APT group delivers malware via updates for popular Chinese software". Doing a page search for "pRsm.dll" will eventually lead you to the technique that uses this DLL. (T1123)

---

Q5 - What is the CyberChef defanged URL of the malicious download location first seen on 2020-11-02?

Q6 - What is the CyberChef defanged IP address of the C&C server first detected on 2020-09-14 using these modules?

A: To obtain the answer for these questions, you must take the URL and IP address found in the "Evasive Panda APT group delivers malware via updates for popular Chinese software" report and place it into CyberChef's "Defang URL" and "Defang IP Addresses" operations.

URL	First seen	Domain IP	ASN	Downloader
hxxp://update.browser.qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296.exe	2020-11-02	123.151.72[.]74	AS58542	QQUrlMgr.exe, QQ.exe, QQLive.exe, QQCall.exe
		183.232.96[.]107	AS56040
		61.129.7[.]35	AS4811

(hxxp[://]update[.]browser[.]qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296[.]exe)

(122[.]10[.]90[.]12)

---

Q7 - What is the SHA1 hash of the spyagent family spyware hosted on the same IP targeting Android devices on November 16, 2022?

A: Heading back to VirusTotal, if we paste the C2 IP address in search and head over to the RELATIONS tab we can see the related communicating files that also use this IP address

---