=

FlareVM: Arsenal of Tools | TryHackMe writeup / walkthrough

Task 1 - Introduction

^

Q1. I'm ready to learn more about FlareVM!

No Answer Needed

Task 2 - Arsenal of Tools

^

Q1. Which tool is an Open-source debugger for binaries in x64 and x32 formats?

x64dbg

Answer šŸ‘‰ x64dbg

Q2. What tool is designed to analyze and edit Portable Executable (PE) files?

cff-explorer

Answer šŸ‘‰ CFF Explorer

Q3. Which tool is considered a sophisticated memory editor and process watcher?

process hacker

Answer šŸ‘‰ Process Hacker

Q4. Which tool is used for Disc image acquisition and analysis for forensic use?

ftk imager

Answer šŸ‘‰ FTK Imager

Q5. What tool can be used to view and edit a binary file?

hxd

Answer šŸ‘‰ HxD

Task 3 - Commonly Used Tools for Investigation: Overview

^

Q1. Which tool was formerly known as FLARE Obfuscated String Solver?

Answer šŸ‘‰ FLOSS

Q2. Which tool offers in-depth insights into the active processes running on your computer?

Answer šŸ‘‰ Process Explorer

Q3. By using the Process Explorer (procexp) tool, under what process can we find smss.exe?

Answer šŸ‘‰ System

Q4. Which powerful Windows tool is designed to help you record issues with your system's apps?

Answer šŸ‘‰ Procmon

Q5. Which tool can be used for Static analysis or studying executable file properties without running the files?

Answer šŸ‘‰ PEStudio

Q6. Using the tool PEStudio to open the file cryptominer.bin in the DesktopSample folder, what is the sha256 value of the file?

Answer šŸ‘‰ E9627EBAAC562067759681DCEBA8DDE8D83B1D813AF8181948C549E342F67C0E

Q7. Using the tool PEStudio to open the file cryptominer.bin in the DesktopSample folder, how many functions does it have?

Answer šŸ‘‰ 102

Q8. What tool can generate file hashes for integrity verification, authenticate the source of system files, and validate their validity?

Answer šŸ‘‰ CFF Explorer

Q9. Using the tool CFF Explorer to open the file possible_medusa.txt in the DesktopSample folder, what is the MD5 of the file?

Answer šŸ‘‰ 646698572AFBBF24F50EC5681FEB2DB7

Q10. Use the CFF Explorer tool to open the file possible_medusa.txt in the DesktopSample folder. Then, go to the DOS Header Section. What is the e_magic value of the file?

Answer šŸ‘‰ 5A4D

Task 4 - Analyzing Malicious Files!

^

Q1. Using PEStudio, open the file windows.exe. What is the entropy value of the file windows.exe?

Answer šŸ‘‰ 7.999

Q2. Using PEStudio, open the file windows.exe, then go to manifest (administrator section). What is the value under requestedExecutionLevel?

Answer šŸ‘‰ requireAdministrator

Q3. Which function allows the process to use the operating system's shell to execute other processes?

Answer šŸ‘‰ set_UseShellExecute

Q4. Which API starts with R and indicates that the executable uses cryptographic functions?

Answer šŸ‘‰ RijndaelManaged

Q5. What is the Imphash of cobaltstrike.exe?

Answer šŸ‘‰ 92EEF189FB188C541CBD83AC8BA4ACF5

Q6. What is the defanged IP address to which the process cobaltstrike.exe is connecting?

Answer šŸ‘‰ 47[.]120[.]46[.]210

Q7. What is the destination port number used by cobaltstrike.exe when connecting to its C2 IP Address?

No Answer Needed

Q8. During our analysis, we found a process called cobaltstrike.exe. What is the parent process of cobaltstrike.exe?

Answer šŸ‘‰ explorer.exe

Task 5 - Conclusion

^

Q1. Fantastic Room!

No Answer Needed