BankingTroubles blue team ctf

Category : Digital Forensics

948 Players

4.4 (91)

Difficult

What was the local IP address of the victim's machine?

Weight : 50 | Solved : 629

What was the OS environment variable's value?

Weight : 50 | Solved : 573

What was the Administrator's password?

Weight : 100 | Solved : 577

Which process was most likely responsible for the initial exploit?

Weight : 150 | Solved : 606

What is the extension of the malicious file retrieved from the process responsible for the initial exploit?

Weight : 150 | Solved : 570

Suspicious processes opened network connections to external IPs. One of them starts with "2". Provide the full IP.

Weight : 150 | Solved : 586

A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN).

Weight : 200 | Solved : 501

Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc". When was this file first submitted for analysis on VirusTotal?

Weight : 250 | Solved : 376

What was the PID of the process that loaded the file PDF.php?

Weight : 250 | Solved : 514

Q10

The JS includes a function meant to hide the call to function eval(). Provide the name of that function.

Weight : 300 | Solved : 316

Q11

The payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9.

Weight : 300 | Solved : 255

Q12

Process winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware.

Weight : 300 | Solved : 286

Q13

What is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan?

Weight : 300 | Solved : 293

Q14

The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL.

Weight : 500 | Solved : 292

Q15

The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number.

Weight : 500 | Solved : 272

Instructions:

Unzip the challenge (pass: cyberdefenders.org), examine the image, and answer the provided questions.

Challenge Files:

Bob.vmem

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.

The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system.

Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you as a security blue team analyst to analyze the virtual memory and provide answers to the questions.

Supportive Tools:

Thanks, lehonghai for revieweing the challenge.

WriteUps

Submit Writeup

Need Help?

Join our Discord server, connect with fellow defenders, and get help while solving challenges.

SHA1SUM:

fb90a34ca773f2dc97da144df1028ac4689a8e87
Password:

cyberdefenders.org
Size:

127M
Published:

Nov. 6, 2020, midnight

First blood

lehonghai

936 days ago

Last solve

asahin34

today

Authors

BankingTroubles blue team ctf

Category : Digital Forensics

Memory

Volatility

Windows