Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.

The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system.

Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you to analyze the virtual memory and provide answers to the questions.


Supportive Tools:


Thanks, lehonghai for revieweing the challenge.


# Question Weight Solved
1 What was the local IP address for the victim's machine? 50 117

2 What was the OS variable value? 50 81

3 What was the Administrator's password? 100 100

4 Which process was most likely responsible for the initial exploit? 150 110

5 What is the extension of the malicious file retrieved from the process responsible for the initial exploit? 150 92

6 Suspicious processes opened network connections to external IPs. Provide the two external IP addresses. (comma-separated without spaces) 150 104

7 A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN). 200 76

8 Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc". When was this file first submitted for analysis on VirusTotal? 250 37

9 What was the PID of the process that loaded the file PDF.php? 250 95

10 The JS includes a function meant to hide the call to function eval(). Provide the name of that function. 300 34

11 The payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9. 300 27

12 Process winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware. 300 21

13 What is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan? 300 43

14 The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL. 500 39

15 The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number. 500 42