Open in app

Sign in

Write

Sign in

Friday Overtime — SOC Level 1 -Cyber Threat Intelligence — TryHackMe Challenge Walkthrough & Insights

Step into the shoes of a Cyber Threat Intelligence Analyst and put your investigation skills to the test.

IritT
8 min readJan 4, 2025

Room URL: https://tryhackme.com/r/room/fridayovertime

Task 1 Challenge Scenario

Disclaimer

Please note: The artefacts used in this scenario were retrieved from a real-world cyber-attack. Hence, it is advised that interaction with the artefacts be done only inside the attached VM, as it is an isolated environment.

Hello Busy Weekend. . .

It’s a Friday evening at PandaProbe Intelligence when a notification appears on your CTI platform. While most are already looking forward to the weekend, you realise you must pull overtime because SwiftSpend Finance has opened a new ticket, raising concerns about potential malware threats. The finance company, known for its meticulous security measures, stumbled upon something suspicious and wanted immediate expert analysis.

As the only remaining CTI Analyst on shift at PandaProbe Intelligence, you quickly took charge of the situation, realising the gravity of a potential breach at a financial institution. The ticket contained multiple file attachments, presumed to be malware samples.

With a deep breath, a focused mind, and the longing desire to go home, you began the process of:

  1. Downloading the malware samples provided in the ticket, ensuring they were contained in a secure environment.
  2. Running the samples through preliminary automated malware analysis tools to get a quick overview.
  3. Deep diving into a manual analysis, understanding the malware’s behaviour, and identifying its communication patterns.
  4. Correlating findings with global threat intelligence databases to identify known signatures or behaviours.
  5. Compiling a comprehensive report with mitigation and recovery steps, ensuring SwiftSpend Finance could swiftly address potential threats.

Connecting to the machine

Start the virtual machine in split-screen view by clicking the green Start Machine button on the upper right section of this task. If the VM is not visible, use the blue Show Split View button at the top-right of the page. Additionally, you can open the DocIntel platform using the credentials below.

Username ericatracy Password Intel321! IP MACHINE_IP

Note: While the web browser (i.e., Chromium) will immediately start after boot up, it may show tabs that have “Connection Refused” displayed. This is because the DocIntel platform takes a few more minutes to finish starting up after the VM has completely booted up. The ticket details can be found by logging in to the DocIntel platform.

Username: ericatracy
Password: Intel321!

OSINT, a web browser, and a text editor outside the VM will also help.

Answer the questions below

  1. Who shared the malware samples?

The sender of the malware samples is explicitly mentioned as Oliver Bennett from the Cybersecurity Division at SwiftSpend Finance.

Answer: Oliver Bennett

2. What is the SHA1 hash of the file “pRsm.dll” inside samples.zip?

Downloading the malware samples

Open the Terminal > Navigate to the Downloads Folder:

By default, downloaded files are usually saved in the Downloads directory.

cd ~/Downloads

List content to check if the samples.zip file is present:

ls

Extract the content of samples.zip:

unzip samples.zip
Panda321!

We successfully extracted the files using the password Panda321!, and the contents of the samples.zip file are now visible.

The extracted files are:

mailtfpassword.dll
pRsm.dll
qmsdp.dll
wcdbcrk.dll

Compute the SHA1 Hash for “pRsm.dll”

sha1sum pRsm.dll

The SHA1 hash for “pRsm.dll” has been successfully calculated.

Answer: 9d1ecbbe8637fed0d89fca1af35ea821277ad2e8

3. Which malware framework utilizes these DLLs as add-on modules? (Question Hint Search for an article or report related to the artefacts)

DLLs (Dynamic Link Libraries) are small programs used to add functionality to software.

Open browser and search for: Which malware framework utilizes pRsm.dll

Found a search result pointing to an article about the Evasive Panda APT group

According to the ESET research report, these DLLs are used by the MgBot malware framework, which employs a modular structure for tasks like spying, stealing credentials, and exfiltrating data.

Evasive Panda and MgBot Malware:

The report attributes a malware campaign to the Evasive Panda APT group.

The attackers hijacked legitimate software update channels to deliver the MgBot malware, which serves as their primary backdoor (a method to secretly access compromised systems).

Targeted Users:

The malware primarily targeted users in mainland China.

It was delivered via software updates for programs developed by Chinese companies, making the attack seem legitimate and harder to detect.

Malware Functionality:

MgBot is described as a modular malware framework. It means:

It uses plugin modules (such as DLLs like pRsm.dll) to perform specific tasks.

These tasks could include:

Capturing audio from the victim’s microphone.

Stealing credentials or sensitive data.

Exfiltrating information to the attackers’ servers.

Answer: MgBot

4. Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?

Use Ctrl+F to search for pRsm.dll in article.

The DLL is associated with audio capture (spying on a victim’s microphone), which is documented as T1123 — Audio Capture in the MITRE ATT&CK framework.

Answer: T1123

5. What is the CyberChef defanged URL of the malicious download location first seen on 2020–11–02?

A defanged URL is a modified version of a malicious URL that is made safe to share or analyze without accidentally triggering it. This is commonly used in cybersecurity to prevent unintentional access to harmful links while investigating or reporting threats.

Use Ctrl+F to search for URL of the malicious download location first seen on 2020–11–02 in the article.

Use CyberChef (CyberChef) to defang it:

Select the “Defang URL” operation > Paste the URL into the input field.

Answer: hxxp[://]update[.]browser[.]qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296[.]exe

6. What is the CyberChef defanged IP address of the C&C server first detected on 2020–09–14 using these modules?

Defanging an IP address is the process of modifying a malicious IP address to make it safe for sharing, reporting, or analyzing without accidentally enabling access or triggering harmful activity.

Use Ctrl+F to search for IP address of the C&C server first detected on 2020–09–14 in the article.

Use CyberChef (CyberChef) to defang it:

Select the “Defang IP Addreesses” operation > Paste the IP into the input field.

Answer: 122[.]10[.]90[.]12

7. What is the SHA1 hash of the spyagent family spyware hosted on the same IP targeting Android devices on November 16, 2022? (Question Hint Tools like VirusTotal or app.any.run can help with this)

Go to VirusTotal (VirusTotal) and search for the IP: 122.10.90.12

The IP address 122.10.90.12 is significant because it was identified as a Command & Control (C&C) server used in the MgBot malware campaign.

Check the Relations tab for files hosted on this IP.

Locate the Android spyware entry.

Click on the hash to view the details page.

Answer: 1c1fe906e822012f6235fcc53f601d006d15d7be

Summary of the TryHackMe Room

This room teaches you how to:

  1. Analyze malware (pRsm.dll) and map it to the MITRE ATT&CK framework.

2. Use tools like VirusTotal, CyberChef, and sandboxes for safe investigation.

3. Identify malicious servers (C&C) and URLs while defanging them for reporting.

4. Write actionable threat intelligence reports with IoCs (Indicators of Compromise).

Practical Defense Strategies

  1. Set Up Proper Monitoring: Use firewalls, IDS/IPS, and endpoint protection.
  2. Update Threat Intelligence: Regularly integrate IoCs into security systems.

IoCs (Indicators of Compromise) are clues or pieces of evidence that indicate a system or network may have been compromised by a cyberattack. They help identify and track malicious activity. Examples of IoCs include:

File Hashes: Unique identifiers of suspicious files (e.g., SHA1 hash of malware).

Malicious IP Addresses: Addresses used by attackers for Command & Control (C&C) servers.

Suspicious URLs or Domains: Websites hosting malware or phishing pages.

Registry Changes: Unusual modifications in the system’s registry.

Unusual Network Traffic: Data being sent to unknown or unauthorized destinations.

IoCs are critical for detecting, analyzing, and responding to cyber threats effectively. They act as “fingerprints” of an attack.

3. Use MITRE ATT&CK: Map malicious behavior to known techniques and create detection rules.

4. Train Teams: Ensure SOC analysts can use tools like CyberChef and VirusTotal effectively.

5. Isolate and Analyze Malware: Use sandboxes to safely analyze malicious files.

A sandbox is a secure and isolated environment where suspicious files, programs, or malware can be tested and analyzed without risking damage to the actual system. Think of it like a “virtual lab” where you can safely observe how a file behaves, such as whether it tries to steal data or harm a computer.

Final Thought

“Keep pushing forward and stay vigilant — every step you take strengthens defenses against cyber threats!”

--

--

IritT
IritT

Written by IritT

92 Followers
6 Following

In the world of cybersecurity, the strongest defense is knowledge. Hack the mind, secure the future.

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams