Module: INTRODUCTION TO MALWARE ANALYSIS - (addtional_samples.zip Download)

Download additional_samples.zip from this module’s resources (available at the upper right corner) and transfer the .zip file to this section’s target. Unzip additional_samples.zip (password: infected) and use IDA to analyze orange.exe. Enter the registry key that it modifies for persistence as your answer. Answer format: SOFTWARE____

&&&

Download additional_samples.zip from this module’s resources (available at the upper right corner) and transfer the .zip file to this section’s target. Unzip additional_samples.zip (password: infected) and use IDA to analyze orange.exe. Enter the name of the function that is holding the name of the file intrenat.exe that orange.exe drops as your answer. Answer format: sub_4XXXX3

These two questions within the code analysis section require you to download a zip file from the HTB academy webpage in order to decompile and analyse the requested .exe’s within IDA. As an individual who uses Mac and the Parrot/RDP instance provided I am not sure how to get the .zip file across to the Windows instance. I tried:

  1. Signing into my academy.htb account via windows; No internet connection
  2. Signing into my academy.htb linux and scp’ing; Port 22 is closed.
  3. Downloading on my Mac and installing my own Windows VM; my Mac refused the download due to “dangerous file”.

How am I supposed to complete this section? :confused: I spent 100 squares on this mf.

  1. On your host machine: download the zip file into a temp folder.
    1a - Inside terminal type: wget URL-of-zip-file
  2. Open terminal and go to temp folder - get IP address
  3. Type the following command in terminal: python -m http.server
  4. Go to VM - open browser and navigate to http://HOST-IP:8000/
  5. Download into VM and good hunting
4 Likes

You can also use wget in the pwnbox with the resource url, unzip it and share that folder with the remote connection to the working machine.

  1. on pwnbox use wget https://academy.hackthebox.com/storage/resources/additional_samples.zip
  2. unzip it with unzip [file route]
  3. use share file with the remote conn (with remmina is easy)
  4. continue with the lab

im also a little stuck identifying the registry key edited.

1 Like

Hi all, thank you for your suggestions. They helped and I’ve passed this one now.

I guess in retrospect it’s an obvious answer but I appreciate it none the less.

This module is crazy hard o.O. @x46uck did you look for every function?

Didn’t manage/understand how to get the step3 correctly, can you give a bit more info on how to get this workin in the pwnbox?

Making a http.server and accessing it on the VM works fine, just like @sampaio.veiga described.

Hello, the http server from my kali vm is not working on the target machine. http://host-ip:8000/ only works on my kali vm. Any tips?

nvm figured it out. it was my firewall. thank you!

For the first question, I dug through all the functions and spent 5 hours. The answer is no where to be found but there is a clue: Hkey. Utilize all resources! GLHF.


name of the function that is holding the name of the file intrenat.exe are in picture

In the PWNBox, ensure you configure the environment properly, then use the pwn library to set breakpoints and step through the code. Check documentation for step-by-step guidance.

I am also stuck. The Text view for orange.exe for the RegOpenKeyExA is attached.
There is a subroutine; 40A908. It uses the RegOpenKeyExA function. Any suggestions of how to proceed from here?
image

Hint:

sub_40A908 is the right place to investigate. Look for something obfuscated, and remember the hint provided: the registry key begins with “Software”.

I see that sub_40A908 has configured this reg, however, I’m not sure how to read or interpret the char declared on it, Do you have any idea how?

Currently Struggling with this, anyone have any tips?

Same. Any tips? I read the functiom but no idea how to search for something similar to SOFTWARE

1 Like

I used CHATGPT to figure out the reg key

Copy sub_40A908 to Chat GPT but the main box, the first one.

Or you can reconstruct the reg key by yourself.
It will take time but you will get there.

Thanks. Done!