https://mikehorn-git.github.io/tags/malware-analysis/ Recent content in Malware Analysis on Mike.Horn Hugo en Fri, 18 Oct 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/nuts/ Fri, 18 Oct 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/nuts/ <h1 id="q1-what-action-did-alex-take-to-integrate-the-purported-time-saving-package-into-the-deployment-process-provide-the-full-command">Q1: What action did Alex take to integrate the purported time-saving package into the deployment process? (provide the full command)</h1> <p>Review the PowerShell history file:</p> <blockquote> <p><code>ConsoleHost_history.txt</code></p> </blockquote> <p>Look for commands related to NuGet package installation.</p> <p><img alt="History" loading="lazy" src="../../writeups/htb/sherlocks/nuts/2024-09-22T22:56:27,889083437+02:00.png"></p> <p>Identify the full command used to install the package.</p> <hr> <h1 id="q2-identify-the-url-from-which-the-package-was-downloaded-">Q2: Identify the URL from which the package was downloaded ?</h1> <p>Examine the <strong>web browsing history</strong> on the system.</p> <p><img alt="Url" loading="lazy" src="../../writeups/htb/sherlocks/nuts/2024-10-13T18_19_20,030404275+02_00.png"></p> <p>Locate the URL used to download the NuGet package.</p> https://mikehorn-git.github.io/writeups/htb/sherlocks/heartbreaker-continuum/ Mon, 23 Sep 2024 00:00:00 +0200 https://mikehorn-git.github.io/writeups/htb/sherlocks/heartbreaker-continuum/ <h1 id="q1-to-accurately-reference-and-identify-the-suspicious-binary-please-provide-its-sha256-hash">Q1: To accurately reference and identify the suspicious binary, please provide its SHA256 hash.</h1> <p>Identify the SHA256 hash of the suspicious binary file.</p> <blockquote> <p><strong>File Name:</strong> <code>Superstar_MemberCard.tiff.exe</code> <strong>SHA256:</strong> <code>12daa34111bb54b3dcbad42305663e44e7e6c3842f015cccbbe6564d9dfd3ea3</code></p> </blockquote> <hr> <h1 id="q2-when-was-the-binary-file-originally-created-according-to-its-metadata-utc">Q2: When was the binary file originally created, according to its metadata (UTC)?</h1> <p>Upload the file hash to <strong>VirusTotal</strong> to retrieve metadata information.</p> <p><img alt="VT" loading="lazy" src="../../writeups/htb/sherlocks/heartbreaker-continuum/2024-09-22T11:34:24,713072253+02:00.png"></p> <p>Locate the <strong>first seen / creation timestamp</strong> and convert it to <strong>UTC</strong>.</p> <hr> <h1 id="q3-examining-the-code-size-in-a-binary-file-can-give-indications-about-its-functionality-could-you-specify-the-byte-size-of-the-code-in-this-binary">Q3: Examining the code size in a binary file can give indications about its functionality. Could you specify the byte size of the code in this binary?</h1> <p>Use a tool such as <strong>readpe</strong> to inspect the binary structure.</p>