CIRCL (Computer Incident Respons Center Luxembourg) published an event associated with PupyRAT infection. Your organisation is on alert for remote access trojans and malware in the wild, and you have been tasked to investigate this event and correlate the details with your SIEM. Use what you have learned from the room to identify the event and complete this task.
Answer the questions below
What event ID has been assigned to the PupyRAT event?
How to: Start at the home page of MISP, on the right side of the screen is a filter box, type into the filter box PupyRAT. Click the Filter button and give it a moment, the page for PupyRAT should load up and the Event ID will be the first entry you see. Copy and past it over in the answer box on THM.
Answer: 1146
The event is associated with the adversary gaining ______ into organisations.
How to: Look at the tags for this event, the answer can be found in the purple tag labeled ms-caro-malware:malware-type.
Answer: Remote Access
Hint: What does RAT stand for?
What IP address has been mapped as the PupyRAT C2 Server
How to: Use ctrl + f, to bring up the find feature. Type into the find bar command this will bring you to the only time it is mentioned on the page. The IP address to the left of this find is the IP address of the C2 server.
Answer: 89.107.62.39
From the Intrusion Set Galaxy, what attack group is known to use this form of attack?
How to: Scroll back up towards the top, till you see the galaxy tab (the text is blue in this area). Then look for the Intrusion Set label. The one entry under this is the answer to this question.
Answer: Magic Hound
There is a taxonomy tag set with a Certainty level of 50. Which one is it?
How to: Go back up to the tags section, look for a liter blue background with white text and the number 50. The first part of this is the answer to this question.
Answer: OSINT
Hint: Check Tags
No comments:
Post a Comment