We covered a cyber threat intelligence case study that involved a finance company named SwifSpend financ that reported malicious samples spread in its network. We took on the shoes of a cyber threat intelligence analyst and looked into the indicators of compromise provided in the report. We extracted intelligence related to the samples including URLs, hashes, IP addresses and the MITRE ATT&CK techniques used by the attackers. This was part of TryHackMe Friday Overtime SOC Level 2 track.

Please watch the video at the bottom for full detailed explanation of the walkthrough.

OSCP Study Notes

Computer Forensics Study Notes

Breif on The Case, as put by TryHackMe

It’s a Friday evening at PandaProbe Intelligence when a notification appears on your CTI platform. While most are already looking forward to the weekend, you realise you must pull overtime because SwiftSpend Finance has opened a new ticket, raising concerns about potential malware threats. The finance company, known for its meticulous security measures, stumbled upon something suspicious and wanted immediate expert analysis.

As the only remaining CTI Analyst on shift at PandaProbe Intelligence, you quickly took charge of the situation, realising the gravity of a potential breach at a financial institution. The ticket contained multiple file attachments, presumed to be malware samples.

With a deep breath, a focused mind, and the longing desire to go home, you began the process of:

  1. Downloading the malware samples provided in the ticket, ensuring they were contained in a secure environment.
  2. Running the samples through preliminary automated malware analysis tools to get a quick overview.
  3. Deep diving into a manual analysis, understanding the malware’s behaviour, and identifying its communication patterns.
  4. Correlating findings with global threat intelligence databases to identify known signatures or behaviours.
  5. Compiling a comprehensive report with mitigation and recovery steps, ensuring SwiftSpend Finance could swiftly address potential threats.

Definition of Cyber Threat Intelligence

From blue team perspective, it’s the collection and analysis of tactics, techniques and procedures used by attackers to build detections.
From read team perspectives, it’s the emulation of adversaries TTPs and analysis of blue team’s ability to build detections based in IOCs and TTPs.

Red team collects TTPs from threat intelligence frameworks and related to a certain hacking group to create tools and emulate this hacking group’s behaviour in an engagement.

In cyber threat intelligence, we aim to answer the below questions with the help of threat intelligence

  • Who’s attacking you?
  • What are their motivations?
  • What are their capabilities?
  • What artefacts and indicators of compromise (IOCs) should you look out for?

How to gather threat intelligence

  • Internal:
    • Vulnerability assessments and incident response reports.
    • Cyber awareness training reports.
    • System logs and events.
  • Community:
    • Web forums.
    • Dark web communities for cybercriminals.
  • External
    • Threat intel feeds (Commercial & Open-source).
    • Online marketplaces.
    • Public sources include government data, publications, social media, financial and industrial assessments.
    • Malware Repositores.

Threat Intelligence Types

Strategic
Assist senior management make informed decisions specifically about the security budget and strategies.
Tactical
Interacts with the TTPs and attack models to identify adversary attack patterns.
Operational
Interact with IOCs and how the adversaries operationalize.

Room Answers | TryHackMe Friday Overtime

Who shared the malware samples?
Oliver Bennett

What is the SHA1 hash of the file “pRsm.dll” inside samples.zip?
9d1ecbbe8637fed0d89fca1af35ea821277ad2e8

Which malware framework utilizes these DLLs as add-on modules?

MgBot

Which MITRE ATT&CK Technique is linked to using pRsm.dll in this malware framework?

T1123

What is the CyberChef defanged URL of the malicious download location first seen on 2020-11-02?

hxxp[://]update[.]browser[.]qq[.]com/qmbs/QQ/QQUrlMgr_QQ88_4296[.]exe

What is the CyberChef defanged IP address of the C&C server first detected on 2020-09-14 using these modules?

122[.]10[.]90[.]12

What is the SHA1 hash of the spyagent family spyware hosted on the same IP targeting Android devices on November 16, 2022?

1c1fe906e822012f6235fcc53f601d006d15d7be

Video Walkthrough | TryHackMe Friday Overtime

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles