In this post, I would like to share some walkthroughs on the Sherlock Challenges such as HyperFiletable which can be considered an Easy difficulty

Introduction of Hyperfiletable Challenge

In this challenge, you will address the consequences of a sophisticated phishing attack directed at a recent recruit within Forela. Unbeknownst to the unsuspecting newcomer, the act of downloading their onboarding documentation has led to the inadvertent opening of a malicious attachment. This Sherlock challenge, designed at an introductory level of difficulty, requires participants to carefully analyze the incident using the limited artifacts provided.

Case study of Hyperfiletable

There has been a new joiner in Forela, they have downloaded their onboarding documentation, however someone has managed to phish the user with a malicious attachment. We have only managed to pull the MFT record for the new user, are you able to triage this information? 

We are required to download the zip

Let’s extract the downloaded file until it reaches the final file.

Finally, I managed to obtain the final file which its format is data

We can use the xxd tools to analyze the file.

Task 1: What is the MD5 hash of the MFT?

We will need to run md5sum on the file so that we can answer the first question.

Task 2: What is the name of the only user on the system?

After doing some research, I found one Python script here and ran the script to convert the original file into Excel format.

The output would be looking something as shown above.

While analyzing the file within the Excel document, I managed to find the only username of the machine which is “Users/Randy

Task 3: What is the name of the malicious HTA that was downloaded by that user?

A screenshot of a computer

Description automatically generated

For this activity, I need to read all the content carefully, but I will take a faster route where I will search on the .hta file format and find the filename as Onboarding.hta

Task 4: What is the ZoneId of the download for the malicious HTA file?

I will use the xxd tools to obtain the answer for this activity because I cannot find the ZoneId on the Excel document file.

After analyzing it slowly and carefully, I managed to find the ZoneId using xxd which the answer is “3”

Task 5: What is the download URL for the malicious HTA?

The answer will be highlight in the screenshot above

Task 6: What is the allocated size for the HTA file? (bytes)

I received some help from ChatGPT which suggests that I use the command line of “stat” to retrieve the allocated size for the HTA file.

Task 7: What is the real size of the HTA file? (bytes)

A screenshot of a computer

Description automatically generated

I will be using MFT_Explorer to obtain the real size of the HTA file. The highlighted in red line, its logical size will give us the answer to this question

A black background with white text

Description automatically generated

Task 8: When was the PowerPoint presentation downloaded by the user?

A screenshot of a computer

Description automatically generated

Let’s analyze the Excel document to answer the question

The timestamp will been highlighted in the left column for the PowerPoint file

Task 9: The user has made notes of their work credentials, what is their password?

The password will be ReallyC00lDucks2023!

Task 10: How many files remain under the C:\Users\ directory? (Recursively)

We need to count the amount of similar data which have been highlighted