TryHackMe: Threat Hunting With YARA, detailed Write-up
Common Information
Type Value
UUID 024dc4b6-d9c6-44cb-bb74-5c4c9a455520
Fingerprint 362e1a1d2f1fdf9d
Analysis status DONE
Considered CTI value -2
Text language
Published Nov. 26, 2024, 12:58 a.m.
Added to db Nov. 26, 2024, 2:19 a.m.
Last updated Dec. 23, 2024, 8:16 a.m.
Headline TryHackMe: Threat Hunting With YARA, detailed Write-up
Title TryHackMe: Threat Hunting With YARA, detailed Write-up
Detected Hints/Tags/Attributes 72/3/32
RSS Feed
Details Id Enabled Feed title Url Added to db
Details 167 Cybersecurity on Medium https://medium.com/feed/tag/cybersecurity 2024-08-30 22:08
Attributes
Details Type #Events CTI Value
Details Domain 2
waterforvoiceless.org
Details Domain 2
invite.zip
Details Domain 2
siestakeying.com
Details Domain 103
abuse.ch
Details File 2
invite.pdf
Details File 5
invite.php
Details File 3
util.php
Details File 2
invite.txt
Details File 2
invite.zip
Details File 4
sqldumper.exe
Details File 77
vcruntime140.dll
Details File 25
auth.php
Details File 111
test.txt
Details File 1
file10.txt
Details File 1
file13.txt
Details md5 2
fb6323c19d3399ba94ecd391f7e35a9c
Details md5 2
7a465344a58a6c67d5a733a815ef4cb7
Details md5 2
efafcd00b9157b4146506bd381326f39
Details md5 2
44ce4b785d1795b71cee9f77db6ffe1b
Details md5 2
f32c04ad97fa25752f9488781853f0ea
Details md5 2
5928907c41368d6e87dc3e4e4be30e42
Details md5 2
e017bfc36e387e8c3e7a338782805dde
Details md5 2
8bd528d2b828c9289d9063eba2dc6aa0
Details MITRE ATT&CK Techniques 135
T1134
Details Threat Actor Identifier - APT 807
APT29
Details Url 2
https://waterforvoiceless.org/invite.php
Details Url 2
https://waterforvoiceless.org/util.php
Details Url 2
https://siestakeying.com/auth.php
Details Yara rule 1
rule myfirstrule {
	meta:
		Description = "Searches for the string THM{}"
		Author = "Rosana"
	strings:
		$s = "THM{"
	condition:
		$s
}
Details Yara rule 1
rule myfirstrule {
	meta:
		Description = "Searches for the filename found in exercise 2. (Format: filnema.extension)"
		Author = "Rosana"
	strings:
		$provided_string1 = "Yet another" wide
		$provideds_tring2 = "Ridiculous acronym" wide
	condition:
		all of them
}
Details Yara rule 1
rule mythirdrule {
	meta:
		Description = "Searches for the filename in exercise 3. (Format: filename.extension)"
		Author = "Rosana"
	strings:
		$provided_string1 = "THM{This was a really fun exercise}" base64
	condition:
		$provided_string1
}
Details Yara rule 1
rule myfourthrule {
	meta:
		Description = "Searches for the filename in exercise 4."
		Author = "Rosana"
	strings:
		$provided_string1 = "THM{FoundSomethingHidden}" xor
	condition:
		$provided_string1
}