CyberDefenders: BlueTeam CTF Challenges

BankingTroubles

SHA1SUM	fb90a34ca773f2dc97da144df1028ac4689a8e87
Published	Nov. 6, 2020
Author	The Honeynet Project
Size	127M
Tags	Volatility Threat Hunting Windows Memory

Instructions	Unzip the challenge (pass: cyberdefenders.org), examine the image, and answer the provided questions. Challenge Files: Bob.vmem

Your progress

0% Completed0/15 Questions

Your score

0/3550

Digital Forensics

Last solve

11 days ago by txc

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.

The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system.

Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you to analyze the virtual memory and provide answers to the questions.

Supportive Tools:

Thanks, lehonghai for revieweing the challenge.

#	Question	Weight	Solved
#1	What was the local IP address of the victim's machine?	50	411
Hint Report an issue

#2	What was the OS environment variable's value?	50	361
Hint Report an issue

#3	What was the Administrator's password?	100	368
Hint Report an issue

#4	Which process was most likely responsible for the initial exploit?	150	393
Hint Report an issue

#5	What is the extension of the malicious file retrieved from the process responsible for the initial exploit?	150	366
Hint Report an issue

#6	Suspicious processes opened network connections to external IPs. One of them starts with "2". Provide the full IP.	150	376
Hint Report an issue

#7	A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN).	200	319
Hint Report an issue

#8	Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc". When was this file first submitted for analysis on VirusTotal?	250	224
Hint Report an issue

#9	What was the PID of the process that loaded the file PDF.php?	250	337
Hint Report an issue

#10	The JS includes a function meant to hide the call to function eval(). Provide the name of that function.	300	190
Hint Report an issue

#11	The payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9.	300	147
Hint Report an issue

#12	Process winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware.	300	160
Hint Report an issue

#13	What is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan?	300	177
Hint Report an issue

#14	The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL.	500	173
Hint Report an issue

#15	The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number.	500	160
Hint Report an issue

Submit Writeup