Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.
The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system.
Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you to analyze the virtual memory and provide answers to the questions.
Supportive Tools:
Thanks, lehonghai for revieweing the challenge.
| # | Question | Weight | Solved | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | What was the local IP address for the victim's machine? | 50 | 117 | ||||||||||||
| 2 | What was the OS variable value? | 50 | 81 | ||||||||||||
| 3 | What was the Administrator's password? | 100 | 100 | ||||||||||||
| 4 | Which process was most likely responsible for the initial exploit? | 150 | 110 | ||||||||||||
| 5 | What is the extension of the malicious file retrieved from the process responsible for the initial exploit? | 150 | 92 | ||||||||||||
| 6 | Suspicious processes opened network connections to external IPs. Provide the two external IP addresses. (comma-separated without spaces) | 150 | 104 | ||||||||||||
| 7 | A suspicious URL was present in process svchost.exe memory. Provide the full URL that points to a PHP page hosted over a public IP (no FQDN). | 200 | 76 | ||||||||||||
| 8 | Extract files from the initial process. One file has an MD5 hash ending with "528afe08e437765cc". When was this file first submitted for analysis on VirusTotal? | 250 | 37 | ||||||||||||
| 9 | What was the PID of the process that loaded the file PDF.php? | 250 | 95 | ||||||||||||
| 10 | The JS includes a function meant to hide the call to function eval(). Provide the name of that function. | 300 | 34 | ||||||||||||
| 11 | The payload includes 3 shellcodes for different versions of Acrobat reader. Provide the function name that corresponds to Acrobat v9. | 300 | 27 | ||||||||||||
| 12 | Process winlogon.exe hosted a popular malware that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware. | 300 | 21 | ||||||||||||
| 13 | What is the name of the malicious executable referenced in registry hive '\WINDOWS\system32\config\software', and is variant of ZeuS trojan? | 300 | 43 | ||||||||||||
| 14 | The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL. | 500 | 39 | ||||||||||||
| 15 | The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number. | 500 | 42 | ||||||||||||