This is a write-up of the Phishy challenge by Cyberdefenders. The challenge can be found here.

Scenario

A company’s employee joined a fake iPhone giveaway. Our team took a disk image of the employee’s system for further analysis. As a security analyst, you are tasked to identify how the system was compromised.

Tools used for this challenge

- FTK imager
- AccessData Registry Viewer
- WhatsApp viewer
- VirusTotal
- Cyberchef
- Oletools
- SQlite
- Passwordfox

Write-up

Question 1 - What is the hostname of the victim machine?

We started by mounting GiveAway.ad1 with FTK imager. After successfully mounting the image, the SYSTEM registry hive was exported out of the image. The hostname is stored in the SYSTEM hive, more specific located in the following location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

image

As shown in the image the hostname of the machine is: WIN-NF3JQEU4G0T

Question 2 - What is the messaging app installed on the victim machine?

WhatsApp.exe was identified while clicking through the filesystem. This file was located in the Downloads directory of the user Semah.

The answer is: WhatsApp

Question 3 - The attacker tricked the victim into downloading a malicious document. Provide the full download URL.

During question 2 WhatsApp.exe was identified. So, I guess this question has something to do with WhatsApp. The database containing the WhatsApp messages was exported out of FTK imager.

The database can be found in the following location: Users\Semah\AppData\Roaming\WhatsApp\Databases\msgstore.db

The database was loaded into WhatsApp viewer. As shown in the picture below, the user received a message about 5 iPhone winners. The user was tricked into downloading http[:]//appIe.com/IPhone-Winners.doc, which is highly likely a malicious document.

image

Question 4 - Multiple streams contain macros in the document. Provide the number of the highest stream.

The document iPhone-Winners.doc can be found in the download folder of Semah. To identify the largest macro stream oledump was used.

Answer: 10

Question 5 - The macro executed a program. Provide the program name?

Oletools was used to find malicious macros in this document. As shown in the picture below, the file contains a suspicious macro(s).

image

Since we know the file contains a malicious macro, we now want to extract and analyze this code with Olevba. Unfortunately, as shown in the picture below the code is obfuscated.

image

Fortunately, you can provide the parameter –deobf to deobfuscate this code. The output shows that PowerShell was likely executed as result of the macro.

image

Answer: PowerShell

Question 6 - The macro downloaded a malicious file. Provide the full download URL.

During question 5 we deobfuscated the VBA macro. In the output a VBA string likely Base64 encoded was found.

image

A tool I often use named CyberChef was used to decode this string.

image

The decoded string is a PowerShell command.Invoke-webrequest was performed to download http[:]//appIe.com/Iphone.exe and save the file to C:\Temp\Iphone.exe.

Answer: http[:]//appIe.com/Iphone.exe

Question 7 - Where was the malicious file downloaded to? (Provide the full path)

As described in question 6, the file was saved to C:\Temp\Iphone.exe.

Question 8 - What is the name of the framework used to create the malware?

The MD5 hash for Iphone.exe was calculated: 7C827274C062374E992EB8F33D0C188C

A search was performed on Google for this hash value. The only result was a Hybrid Analysis report. However, this didn’t tell us what framework was used to create the malware.

Next, the hash value was submitted to VirusTotal showing the below results.

image

Some antiviruses do recognize the malware as Meterpreter, which is a Metasploit framework for payloads and shells. In addition, there is a comment placed by THOR, which is a great tool I often use during my work. A YARA signature detected the sample as a Metasploit payload.

image

I decided to try Metasploit as an answer, and it was the correct one!

Question 9 - What is the attacker’s IP address?

VirusTotal is a great tool and shows the contacted IP-addresses by the uploaded sample. As shown in the picture two IP-addresses were identified.

image

With 192.168.0.30 being a local IP-addresses, the right answer must be 155.94.69.27.

Question 10 - The fake giveaway used a login page to collect user information. Provide the full URL of the login page?

Based on the browser software installed on the system, I assumed it had something to do with Firefox. The relevant file most likely containing the answer to the question is places.sqlite.

This file can be found in the following location: Users\Semah\AppData\Roaming\Mozilla\Firefox\profiles\pyb51x2n.default-release\places.sqlite</em>

Places.sqlite was loaded into SQlite. In the output the familiar appIe.com domain was found. When taking a closer look, a fake giveaway URL was identified: http[:]//appIe.competitions.com/login.php

Question 11 - What is the password the user submitted to the login page?

During question 10 the login.php page was identified. Let’s see if we can find some saved credentials. The Mozilla profile for Semah was exported with FTK imager and loaded into passwordfox. The tool found only one entry, but it was the right one!

image

The answer: GacsriicUZMY4xiAF4yl

<
Previous Post
Cyberdefenders - CyberCorp Case 1
>
Next Post
Cyberdefenders - DetectLog4j