Home Pyramid Of Pain
Post
Cancel

Pyramid Of Pain

Learn what is the Pyramid of Pain and how to utilize this model to determine the level of difficulty it will cause for an adversary to change the indicators associated with them, and their campaign.

THM Room https://tryhackme.com/room/pyramidofpainax

TASK 1 : Introduction

Read the above.

No Answer

TASK 2 : Hash Values (Trivial)

Provide the ransomware name for the hash ‘63625702e63e333f235b5025078cea1545f29b1ad42b1e46031911321779b6be’ using open-source lookup tools

Using online tool like Virustotal https://www.virustotal.com/gui/home/upload :

Hash Hash

Answer : Conti

TASK 3 : IP Address (Easy)

What is the ASN for the third IP address observed?

Using the link to any.run, it give me the information.

ASN Any.Run ASN from Any.Run

I get the same info first by checking the IP in Hurricane Electric https://bgp.he.net/AS34011 :

ASN Hurricane Electric ASN from Hurricane Electric

Answer : Host Europe GmbH

What is the domain name associated with the first IP address observed?

Domain name Domain name

Answer : craftingalegacy.com

TASK 4 : Domain Names (Simple)

Go to this report https://app.any.run/tasks/a66178de-7596-4a05-945d-704dbf6b3b90 on app.any.run and provide the first malicious URL request you are seeing, you will be using this report to answer the remaining questions of this task.

The first malicious URL is the first DNS request :

Malicious URL Malicious URL

Answer : craftingalegacy.com

What term refers to an address used to access websites?

The translation for human readable of IP address : Domain Name

Answer : Domain Name

What type of attack uses Unicode characters in the domain name to imitate the a known domain?

Attack type Attack type

Answer : Punycode attack

Provide the redirected website for the shortened URL using a preview: https://tinyurl.com/bw7t8p4u

Let’s check which website this URL redirect to :

1
2
3
4
5
6
7
8
9
10
11
12
13
ME@PC:~$ curl https://tinyurl.com/bw7t8p4u
<!DOCTYPE html>
<html>
    <head>
        <meta charset="UTF-8" />
        <meta http-equiv="refresh" content="0;url='https://tryhackme.com/'" />

        <title>Redirecting to https://tryhackme.com/</title>
    </head>
    <body>
        Redirecting to <a href="https://tryhackme.com/">https://tryhackme.com/</a>.
    </body>
</html>ME@PC:~$

Answer : https://tryhackme.com/

TASK 5 : Host Artifacts (Annoying)

What is the suspicious IP the victim machine tried to connect to in the screenshot above?

Suspicious IP Suspicious IP

Answer : 35.214.215.33

Use the tools introduced in task 2 and provide the name of the malware associated with the IP address

Searching for the hash in online tool Virustotal :

Hash Hash

Malware name Malware name

Answer : emotet

Using your OSINT skills, what is the name of the malicious document associated with the dropped binary?

Cheking informations given and the name of the binary i searched the MD5 on VirusTotal :

Malicious document Malicious document

Answer : G_jugk.Exe

Use your OSINT skills and provide the name of the malicious document associated with the dropped binary

Checking for that binary on google (hint), i found an any.run report https://any.run/report/e2d2ebafc33d7c7819f414031215c3669bccdfb255af3cbe0177b2c601b0e0cd/90b76d7b-8df6-43c5-90ec-d4bbcfb4fa19 :

Googling malicious document Googling malicious document

This gives me the name of the file ossociated with the binary :

Malicious document filename Malicious document filename

Answer : CMO-100120 CDW-102220.doc

TASK 6 : Network Artifacts (Annoying)

What browser uses the User-Agent string shown in the screenshot above?

Browser Browser

Answer : internet explorer

How many POST requests are in the screenshot from the pcap file?

POST POST

Answer : 6

TASK 7 : Tools (Challenging)

Provide the method used to determine similarity between the files

“Fuzzy hashing is also a strong weapon against the attacker’s tools. Fuzzy hashing helps you to perform similarity analysis - match two files with minor differences based on the fuzzy hash values. One of the examples of fuzzy hashing is the usage of SSDeep https://ssdeep-project.github.io/ssdeep/index.html; on the SSDeep official website, you can also find the complete explanation for fuzzy hashing. “

Answer : Fuzzy hashing

Provide the alternative name for fuzzy hashes without the abbreviation

Per SSDeep https://ssdeep-project.github.io/ssdeep/index.html:

SSDeep SSDeep

Answer : context triggered piecewise hashes

TASK 8 : TTPs (Tough)

Per MITRE | ATT&CK https://attack.mitre.org/ main page :

MITRE MITRE

Answer : 9

Chimera is a China-based hacking group that has been active since 2018. What is the name of the commercial, remote access tool they use for C2 beacons and data exfiltration?

I looked up for Chimera in the search bar then searched for exfiltration on the Chimera page result :

C2 C2

Answer : Cobalt Strike

TASK 9 : Practical: The Pyramid of Pain

Complete the static site.

Flag not poping with right answer : looked at forum = “Seems that Task 9 is having some issues”

No Answer.

TASK 10 : Conclusion

Read the above.

No Answer.

This post is licensed under CC BY 4.0 by the author.