advent-of-cyber-2025

Room Link:
https://tryhackme.com/room/htapowershell-aoc2025-p2l5k8j1h4

▶️ Haxxy – Day 21 Video Walkthrough

Official walkthrough for quick onboarding:

🔗 YouTube Link:
https://youtu.be/om6mca726Cg?si=l21ahyNl4VDiC6J2

🎄 Advent of Cyber 2025 — Day 21 Write-Up

🧩 Malware Analysis — Malhare.exe

✅ Challenge Answers

1️⃣ What is the title of the HTA application?

hta title

Best Festival Company Developer Survey

2️⃣ What VBScript function is acting as if it is downloading the survey questions?

vbscript function

getQuestions

3️⃣ What URL domain (including subdomain) are the questions being downloaded from?

download domain

survey.bestfestiivalcompany.com

4️⃣ Malhare is using typosquatting. What character in the domain gives this away?

i

5️⃣ How many questions does the fake survey contain?

survey questions

4

6️⃣ The survey promises a chance to win a trip to where?

fake incentive

South Pole

7️⃣ What two pieces of system information are being exfiltrated?

exfiltrated data

ComputerName,UserName

8️⃣ What endpoint is the data being exfiltrated to?

exfil endpoint

/details

9️⃣ What HTTP method is used to exfiltrate the data?

http method

GET

🔟 What line of code executes the downloaded content?

execution line

runObject.Run "powershell.exe -nop -w hidden -c " & feedbackString, 0, False

1️⃣1️⃣ What encoding scheme was used to obfuscate the downloaded payload?

encoded payload

base64

1️⃣2️⃣ What encryption scheme was used after decoding?

rot13 usage

rot13

1️⃣3️⃣ What is the final flag?

final flag

THM{Malware.Analysed}