CyberDefenders: BankingTroubles blueteam challenge.

BankingTroubles

SHA1SUM	fb90a34ca773f2dc97da144df1028ac4689a8e87
Published	Nov. 6, 2020
Author	The Honeynet Project
Size	127M
Tags	Malware Analysis Honeypot PDF Volatility Memory analysis Threat Hunting IOCs

Instructions	Unzip the challenge (pass: cyberdefenders.org), examine the image, and answer the provided questions. Challenge Files: Bob.vmem

Your progress

0% Completed0/15 Questions

Your score

0/3550

Memory Image Forensics

Last solve

11 days ago by Anderwelt

Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.

The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system.

Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you to analyze the virtual memory and provide answers to the questions.

Supportive Tools:

Thanks, lehonghai for revieweing the challenge.

#	Question	Weight	Solved
#1	What was the local IP address of the victim's machine?	50	286
Hint Report an issue

#2	What was the OS environment variable's value?	50	241
Hint Report an issue

#3	What was the Administrator's password?	100	252
Hint Report an issue

#4	Which process was most likely responsible for the initial exploit?	150	275
Hint Report an issue

#5	What is the extension of the malicious file retrieved from the process responsible for the initial exploit?	150	251
Hint Report an issue

#6	Suspicious processes opened network connections to external IPs. One of them starts with "2". Provide the full IP.	150	260
Hint Report an issue

#7	A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN).	200	215
Hint Report an issue

#8	Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc". When was this file first submitted for analysis on VirusTotal?	250	141
Hint Report an issue

#9	What was the PID of the process that loaded the file PDF.php?	250	242
Hint Report an issue

#10	The JS includes a function meant to hide the call to function eval(). Provide the name of that function.	300	121
Hint Report an issue

#11	The payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9.	300	97
Hint Report an issue

#12	Process winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware.	300	100
Hint Report an issue

#13	What is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan?	300	116
Hint Report an issue

#14	The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL.	500	115
Hint Report an issue

#15	The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number.	500	112
Hint Report an issue

Submit Writeup