In this post, I would like to share some walkthroughs on the Sherlock Challenges Noted can be considered an Easy Difficulty

Simon, a developer working at Forela, notified the CERT team about a note that appeared on his desktop. The note claimed that his system had been compromised and that sensitive data from Simon’s workstation had been collected. The perpetrators performed data extortion on his workstation and are now threatening to release the data on the dark web unless their demands are met. Simon’s workstation contained multiple sensitive files, including planned software projects, internal development plans, and application codebases. The threat intelligence team believes that the threat actor made some mistakes, but they have not found any way to contact the threat actors. The company’s stakeholders are insisting that this incident be resolved and all sensitive data be recovered. They demand that under no circumstances should the data be leaked. As our junior security analyst, you have been assigned a specific type of DFIR (Digital Forensics and Incident Response) investigation in this case. The CERT lead, after triaging the workstation, has provided you with only the Notepad++ artifacts, suspecting that the attacker created the extortion note and conducted other activities with hands-on keyboard access. Your duty is to determine how the attack occurred and find a way to contact the threat actors, as they accidentally locked out their own contact information.

Firstly, we need to download the artefact into our attacker machine and unzip it to analyze further

I managed to sighted all 7 directories and 4 files are stored in the noted directory

1. What is the full path of the script used by Simon for AWS operations?

We can find the answer to the first question within the config.xml file

2. The attacker duplicated some program code and compiled it on the system, knowing the victim was a software engineer with all the necessary utilities. They did this to blend into the environment and didn’t bring any of their tools. This code gathered sensitive data and prepared it for exfiltration. What is the full path of the program’s source file?

Let’s find the sessions.xml file, we managed to find a Java location that has been mentioned

3. What’s the name of the final archive file containing all the data to be exfiltrated?

As shown above, we managed to locate the name of the final archive file that contains all the data we need

4. What’s the timestamp in UTC when the attacker last modified the program source file?

We managed to find the timestamp that we required for the Python script to provide us with an accurate timestamp

Boom! At last, we managed to see the accurate timestamp that needed to answer this question

5. The attacker wrote a data extortion note after exfiltrating data. What is the crypto wallet address to which attackers demanded payment?

Sadly, this link has expired for the public

However, we can access the other link but we need to enter a password to read the content of the file

We have sighted the password on the javascript

Therefore, let’s enter the password to unlock the content

Boom! Finally, we managed to see the Ethereum Wallet

6. What’s the email address of the person to contact for support?