Shadow Trace is premium room on TryHackMe.com part of the SOC Level 1 Path.
We need to analyse a suspicious file, uncover hidden clues, and trace the source of the infection.
Task 2 - File analysis
Q1 What is the architecture of the binary file windows-update.exe?
I opened file with PE studio program and under indicators / file -type
64-bit
Q2 What is the hash (sha-256) of the file windows-update.exe?
Under footprints - file > sha256
b2a88de3e3bcfae4a4b38fa36e884c586b5cb2c2c283e71fba59efdb9ea64bfc
Q3 Identify the URL within the file to use it as an IOC
from pestudio under indicators / string - url-pattern
hxxp[://]tryhatme[.]com/update/security-update[.]exe
Q4 With the URL identified, can you spot a domain that can be used as an IOC?
strings .\Desktop\windows-update.exe | findstr "tryhatme"
responses[.]tryhatme[.]com
Q5 Input the decoded flag from the suspicious domain
strings .\Desktop\windows-update.exe | findstr "tryhatme"
flag is hiding at the end of first "link" and needs to be decoded by cyberchef I went with base64 decoding and voila flag was there
THM{you_g0t_some_IOCs_friend}
Q6 What library related to socket communication is loaded by the binary?
in pe studio when through libraries and knowled from previous rooms I found the one responsible
WS2_32.dll
Task 3 - Alerts Analysis
Q1 Can you identify the malicious URL from the trigger by the process powershell.exe?
URL in the trigger is encoded by base64 I used decoder in cyberchef
https[:]//tryhatme[.]com/dev/main[.]exe
Q2 Can you identify the malicious URL from the alert triggered by chrome.exe?
Url in trigger is encoded by decimal with colon separators, I used decoder in cyberchef
hxxps[://]reallysecureupdate[.]tryhatme[.]com/update[.]exe
Q3 What's the name of the file saved in the alert triggered by chrome.exe?
Name of the file is written in trigger, you need to carefully read the alert and you see the name of file
test.txt
