Lab Walkthrough: https://cyberdefenders.org/labs/60
About cyberdefenders.org
CyberDefenders is a training platform focused on the defensive side of cybersecurity, aiming to provide a place for blue teams to practice, validate the skills they have, and acquire the ones they need.
EXECUTIVE SUMMARY
This VAPT was performed during my winter vacation. The detailed report and our findings are described below.
OBJECTIVE
The objective of this test was to Answer all the question on the given link.
Disclaimer
All information, techniques and tools described in this write-up are for educational purposes only. Use anything in this write-up at your own discretion, I cannot be held responsible for any damages caused to any systems or yourselves legally. Usage of all tools and techniques described in this write-up for attacking individuals or organizations without their prior consent is highly illegal. It is your responsibility to obey all applicable local, state and federal laws. I assume and accept no liability and will not be responsible for any misuse or damage caused by using information herein.
Few points
1)The question was given on the following website
2) FTK imager : FTK® Imager can create perfect copies, or forensic images of computer data without making changes to the original evidence. The forensic image is identical in every way to the original, including file slack and unallocated space or drive free space
3) PasswordFox : PasswordFox is a small password recovery tool that allows you to view the user names and passwords stored by Mozilla Firefox Web browser. By default, PasswordFox displays the passwords stored in your current profile, but you can easily select to watch the passwords of any other Firefox profile
4) AutoSpy : Autopsy® is the premier end-to-end open source digital forensics platform. Built by Basis Technology with the core features you expect in commercial forensic tools, Autopsy is a fast, thorough, and efficient hard drive investigation solution that evolves with your needs.
5) VirusTotal : VirusTotal can be useful in detecting malicious content and also in identifying false positives — normal and harmless items detected as malicious by one or more scanners. VirusTotal is free to end users for non-commercial use in accordance with our Terms of Service
6) CyberChef : CyberChef can be used to: Encode, Decode, Format data, Parse data, Encrypt, Decrypt, Compress data, Extract data, perform arithmetic functions against data, defang data, and many other functions.
7) WhatsApp Viewer : WhatsApp Viewer can be used to view WhatsApp chats on your PC. It has the ability to display chats from the Android msgstore. db file. This viewers supports crypt5, crypt7, crypt8, and crypt12 versions of database.
Lets Get Started
General Info About Malware
Malware Behavior Graph & Activities
Malware Specs Description
Summary Scan Report of https://cyberdefenders.org/labs/60
#1 What is the hostname of the victim machine?
WIN-NF3JQEU4G0T
First I had extracted the whole image in my local pc then I visited C:\Users\suhel\Desktop\Advance lab report\Forensic\Windows\System32\winevt\Logs in this path where I have found the host name in the Application.
#2 What is the messaging app installed on the victim machine?
I had found this in FTK imager only just I have to follow this path /Users/Semah/AppData/Local/WhatsApp
#3 The attacker tricked the victim into downloading a malicious document. Provide the full download URL.
First we had extracted a specific file msgstore.db from /Users/Semah/AppData/Roaming/WhatsApp/Databases/msgstore.db Then we had used whatsapp viewer tool to open the file and found the answer
#4 Multiple streams contain macros in the document. Provide the number of the highest stream.
10
For this we had first extracted the doc file from Users/Semah/Download/IPhone-Winners.doc and I fired up my remnux.
REMnux is a Linux toolkit for reverse-engineering and analyzing malicious software. REMnux provides a curated collection of free tools created by the community. Analysts can use it to investigate malware without having to find, install, and configure the tools. and used the syntax oledump.py IPhone-Winners.doc. oledump.py can analyze a file inside a (password protected) zip file. This allows you to store your malware samples in password protected zip files (password infected), and then analyze them without having to extract them.
The output below shows all the data streams contained in the document.
#5 The macro executed a program. Provide the program name?
Powershell
For this I have used REMnux only I fired up a command olevaba IPhone-Winners.doc olevba is a script to parse OLE and OpenXML files such as MS Office documents. (e.g. Word, Excel), to extract VBA Macro code in clear text, deobfuscate. and analyze malicious macros. XLM/Excel 4 Macros are also supported in Excel and SLK files.
Then I found the result that it uses the character string obfuscation. So I used olevba –deobf IPhone-winners.doc and I get the answer.
#6 The macro downloaded a malicious file. Provide the full download URL.
First deobfuscate the obfuscated code and run olevba — deobf IPhone-Winners.doc
After the output I Copied the string & manually cleared non related stuff in CyberChef.
And get the results.
#7 What was the malicious file downloaded to? (Provide the full path)
C:\Temp\IPhone.exe
In CyberChef output only I get the answer
#8 What is the name of the framework used to create the malware?
Metasploit
I uploaded the extracted file on virustotal but I didn’t get any result so I guessed the framework since I used it before.
#9 What is the attacker’s IP address?
155.94.69.27
I had found this in virustotal
VirusTotal can be useful in detecting malicious content and also in identifying false positives — normal and harmless items detected as malicious by one or more scanners.
#10 The fake giveaway used a login page to collect user information. Provide the full URL of the login page?
For this I open the Autopsy /Users/Semah/AppData/Roaming/Mozilla/Firefox /profiles/pyb51x2n.default-release/places.sqlite and at the moz_places export the file to CSV.
#11 What is the password the user submitted to the login page?
GacsriicUZMY4xiAF4yl
First I extract the folder /Users/Semah/AppData/Roaming/Mozilla/Firefox /profiles/pyb51x2n.default-release then I downloaded the tool passwordfox and when I loaded pyb51x2n.default-release, it reveals the victim’s password.
Conclusion
It can be described as a detailed process of detecting, investigating, and documenting the reason, course, and consequences of a security incident or violation against state and organization laws.
This is the end. Thank you for reading this write-up.