CyberDefenders: BlueTeam CTF Challenges

BankingTroubles

SHA1SUM	fb90a34ca773f2dc97da144df1028ac4689a8e87
Published	Nov. 6, 2020
Author	The Honeynet Project
Size	127M
Tags	Volatility Threat Hunting Windows Memory

Instructions	Unzip the challenge (pass: cyberdefenders.org), examine the image, and answer the provided questions. Challenge Files: Bob.vmem

Your progress

0% Completed0/15 Questions

Your score

0/3550

Digital Forensics

Last solve

9 days ago by d3codex

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.

The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system.

Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you to analyze the virtual memory and provide answers to the questions.

Supportive Tools:

Thanks, lehonghai for revieweing the challenge.

#	Question	Weight	Solved
#1	What was the local IP address of the victim's machine?	50	434
Hint Report an issue

#2	What was the OS environment variable's value?	50	384
Hint Report an issue

#3	What was the Administrator's password?	100	391
Hint Report an issue

#4	Which process was most likely responsible for the initial exploit?	150	415
Hint Report an issue

#5	What is the extension of the malicious file retrieved from the process responsible for the initial exploit?	150	388
Hint Report an issue

#6	Suspicious processes opened network connections to external IPs. One of them starts with "2". Provide the full IP.	150	398
Hint Report an issue

#7	A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN).	200	339
Hint Report an issue

#8	Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc". When was this file first submitted for analysis on VirusTotal?	250	240
Hint Report an issue

#9	What was the PID of the process that loaded the file PDF.php?	250	355
Hint Report an issue

#10	The JS includes a function meant to hide the call to function eval(). Provide the name of that function.	300	202
Hint Report an issue

#11	The payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9.	300	156
Hint Report an issue

#12	Process winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware.	300	172
Hint Report an issue

#13	What is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan?	300	188
Hint Report an issue

#14	The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL.	500	187
Hint Report an issue

#15	The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number.	500	170
Hint Report an issue

Submit Writeup