Day 21

HELP ME...I'm REVERSE ENGINEERING!

Welcome to Day 21 of Advent of Cyber 2024 🎄

Today’s challenge dives into the fascinating world of reverse engineering using ILSpy.

Introduction to Reverse Engineering

Reverse engineering involves deconstructing software or binaries to understand their behavior. It’s a vital cybersecurity technique used to:

• Identify malware functionality.

• Detect security flaws in applications.

• Attribute binaries to specific threat actors.

Lets Begin:

We have an exe named WarevilleApp.exe

We need to decompile this and find the answers to questions:

Open this exe in ILSpy;

First we need to find the function name that downloads and executes files in the WarevilleApp.exe:

expand the Form1 section and inspect :

Here we can find the DownloadandExecute() function used to download explorer.exe from mayorc2.thm

Lets run this WarevilleApp.exe:

When we run this a file named exlorer.exe will be downloaded, we need to decompile that to find more answers:

Open explorer.exe in ILSpy:

Visit the Pictures folder to check the zip file:

We can see the zip file named CollectedFiles.zip

and finally to find the name of the C2 server:

check the UploadFiletoServer function of explorer.exe

We can see the server name: anonymousc2.thm

Questions:

1.What is the function name that downloads and executes files in the WarevilleApp.exe?

A: DownloadAndExecuteFile

2.Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?

A: explorer.exe

3.What domain name is the one from where the file is downloaded after running WarevilleApp.exe?

A: mayorc2.thm

4.The stage 2 binary is executed automatically and creates a zip file comprising the victim's computer data; what is the name of the zip file?

A: CollectedFiles.zip

5.What is the name of the C2 server where the stage 2 binary tries to upload files?

A: anonymousc2.thm

Stay tuned for Day 22 and Happy Hacking 🎄

Thank you!