Module: INTRODUCTION TO MALWARE ANALYSIS - (addtional_samples.zip Download)

x46uck · December 10, 2023, 10:06pm

Download additional_samples.zip from this module’s resources (available at the upper right corner) and transfer the .zip file to this section’s target. Unzip additional_samples.zip (password: infected) and use IDA to analyze orange.exe. Enter the registry key that it modifies for persistence as your answer. Answer format: SOFTWARE____

&&&

Download additional_samples.zip from this module’s resources (available at the upper right corner) and transfer the .zip file to this section’s target. Unzip additional_samples.zip (password: infected) and use IDA to analyze orange.exe. Enter the name of the function that is holding the name of the file intrenat.exe that orange.exe drops as your answer. Answer format: sub_4XXXX3

These two questions within the code analysis section require you to download a zip file from the HTB academy webpage in order to decompile and analyse the requested .exe’s within IDA. As an individual who uses Mac and the Parrot/RDP instance provided I am not sure how to get the .zip file across to the Windows instance. I tried:

Signing into my academy.htb account via windows; No internet connection
Signing into my academy.htb linux and scp’ing; Port 22 is closed.
Downloading on my Mac and installing my own Windows VM; my Mac refused the download due to “dangerous file”.

How am I supposed to complete this section? I spent 100 squares on this mf.

sampaio.veiga · December 17, 2023, 12:50am

On your host machine: download the zip file into a temp folder.
1a - Inside terminal type: wget URL-of-zip-file
Open terminal and go to temp folder - get IP address
Type the following command in terminal: python -m http.server
Go to VM - open browser and navigate to http://HOST-IP:8000/
Download into VM and good hunting

mrsant · December 20, 2023, 7:48pm

You can also use wget in the pwnbox with the resource url, unzip it and share that folder with the remote connection to the working machine.

on pwnbox use wget https://academy.hackthebox.com/storage/resources/additional_samples.zip
unzip it with unzip [file route]
use share file with the remote conn (with remmina is easy)
continue with the lab

im also a little stuck identifying the registry key edited.

x46uck · December 20, 2023, 10:41pm

Hi all, thank you for your suggestions. They helped and I’ve passed this one now.

I guess in retrospect it’s an obvious answer but I appreciate it none the less.

bb0rges · February 19, 2024, 11:22am

This module is crazy hard o.O. @x46uck did you look for every function?

poloik007 · March 6, 2024, 11:40am

Didn’t manage/understand how to get the step3 correctly, can you give a bit more info on how to get this workin in the pwnbox?

poloik007 · March 6, 2024, 2:36pm

Making a http.server and accessing it on the VM works fine, just like @sampaio.veiga described.

hashira · April 24, 2024, 9:14pm

Hello, the http server from my kali vm is not working on the target machine. http://host-ip:8000/ only works on my kali vm. Any tips?

hashira · April 24, 2024, 9:34pm

nvm figured it out. it was my firewall. thank you!

hashira · April 25, 2024, 4:24am

For the first question, I dug through all the functions and spent 5 hours. The answer is no where to be found but there is a clue: Hkey. Utilize all resources! GLHF.

erdsmoc · April 26, 2024, 9:50am

I use chat gpt and i founded answer

erdsmoc · April 26, 2024, 9:53am

name of the function that is holding the name of the file intrenat.exe are in picture