TryHackMe: Advent of Cyber 2023 (Day 18) A Gift That Keeps on Giving
“McGreedy is very greedy and doesn’t let go of any chance to earn some extra elf bucks. During the investigation of an insider threat, the Blue Team found a production server that was using unexpectedly high resources. It might be a cryptominer. They narrowed it down to a single unapproved suspicious process. It has to be eliminated to ensure that company resources are not misused. For this, they must find all the nooks and crannies where the process might have embedded itself and remove it.”
Q1: What is the name of the service that respawns the process after killing it?
The top command in Linux is just like Task Manager in Windows. You can use it to see all active processes and their CPU usage.
I notice there is a process called “a” that seems to be using a high amount of resources.
I used the kill command to stop the process, and also sudo because I noticed it was running as root.
However, I noticed that the process came right back after I killed it.
I checked the cronjobs as the root user and there was nothing there. So next I checked all the running services.
There’s a lot to look through, but I did find this mysterious service here.
This seems to be the process I was looking for.
Q2: What is the path from where the process and service were running?
The last screenshot had all of this information included.
Here it is in the file system:
Q3: The malware prints a taunting message. When is the message shown? Choose from the options below.
1. Randomly
2. After a set interval
3. On process termination
4. None of the above
Seems like it prints “Merry Christmas” when the executable starts up. So I picked “None of the above”.
I already answered all of the questions, but the next step is to stop the process.
Seems like that did the trick. I also ran the top command again to double-check.
Next, I disabled it from restarting again.
But it is still actually on the system, so I need to remove all the files
After that, do a reboot of all the services and the malware should be gone for good!
❤
