In this post, I would like to share some walkthroughs on the Sherlock Challenges such as Einladen which can be considered a Medium Difficulty
Testing
- Case Study on Einladen Challenge
- 1. The victim visited a web page. The HTML file of the web page has been provided as ‘downloader.html’ sample file. The web page downloads a ZIP file named ‘Invitation_Farewell_DE_EMB.zip’. What is the SHA-256 hash of the ZIP file?
- 2. The downloaded ZIP file contains a HTA file, which creates multiple files. One of those files is a signed file by Microsoft Corporation. In HTA file, which variable’s value was the content of that signed file?
- 3. The threat actor was acting as an embassy of a country. Which country was that?
- 4. The malware communicated with a chatting platform domain. What is the domain name (inclusive of sub domain) the malware connects to?
- 5. How many DNS A records were found for that domain?
- 6. It seems like the chatting service was running on a well-known cloud service using a FQDN, where the FQDN contains the IP address of the chatting domain in reverse format somehow. What is the FQDN?
- 7. What was the parent PID (PPID) of the malware?
- 8. What was the computer name of the victim computer?
- 9. What was the username of the victim computer?
- 10. How many times were the Windows Registry keys set with a data value?
- 11. Did the malicious mso.dll load by the malware executable successfully?
- 12. The JavaScript file tries to write itself as a .bat file. What is the .bat file name (name+extension) it tries to write itself as?
- 14. The malware contains a class Client.Settings which sets different configurations. It has a variable ‘Ports’ where the value is Base64 encoded. The value is decrypted using Aes256. Decrypt. After decryption, what will be its value (the decrypted value will be inside double quotation)?
- 15. The malware sends an HTTP request to a URI and checks the country code or country name of the victim machine. To which URI does the malware send the request for this?
- 16. After getting the country code or country name of the victim machine, the malware checks some country codes and a country name. In case of the country name, if the name is matched with the victim machine’s country name, the malware terminates itself. What is the country name it checks with the victim system?
- 17. As an anti-debugging functionality, the malware checks if there is any process running where the process name is a debugger. What is the debugger name it tries to check if that’s running?
- 18. For persistence, the malware writes a Registry key where the registry key is hardcoded in the malware in reversed format. What is the registry key after reversing?
- 19. The malware sets a scheduled task. What is the Run Level for the scheduled task/job it sets?
Case Study on Einladen Challenge
In this challenge, Our staff recently received an invite to the German embassy to bid farewell to the German ambassador. We believe this invite was a phishing email due to alerts that were fired on our organisation's SIEM tooling following the receipt of such mail. We have provided a wide variety of artefacts inclusive of numerous binaries, a network capture, DLLs from the host system and also a .hta file. Please analyse and complete the questions detailed below! 1. The victim visited a web page. The HTML file of the web page has been provided as ‘downloader.html’ sample file. The web page downloads a ZIP file named ‘Invitation_Farewell_DE_EMB.zip’. What is the SHA-256 hash of the ZIP file?
2. The downloaded ZIP file contains a HTA file, which creates multiple files. One of those files is a signed file by Microsoft Corporation. In HTA file, which variable’s value was the content of that signed file?
3. The threat actor was acting as an embassy of a country. Which country was that?
4. The malware communicated with a chatting platform domain. What is the domain name (inclusive of sub domain) the malware connects to?
5. How many DNS A records were found for that domain?
6. It seems like the chatting service was running on a well-known cloud service using a FQDN, where the FQDN contains the IP address of the chatting domain in reverse format somehow. What is the FQDN?
7. What was the parent PID (PPID) of the malware?
8. What was the computer name of the victim computer?
9. What was the username of the victim computer?
10. How many times were the Windows Registry keys set with a data value?
11. Did the malicious mso.dll load by the malware executable successfully?
12. The JavaScript file tries to write itself as a .bat file. What is the .bat file name (name+extension) it tries to write itself as?
13. The JavaScript file contains a big text which is encoded as Base64. If you decode that Base64 text and write its content as an EXE file. What will be the SHA256 hash of the EXE?
14. The malware contains a class Client.Settings which sets different configurations. It has a variable ‘Ports’ where the value is Base64 encoded. The value is decrypted using Aes256. Decrypt. After decryption, what will be its value (the decrypted value will be inside double quotation)?
15. The malware sends an HTTP request to a URI and checks the country code or country name of the victim machine. To which URI does the malware send the request for this?
16. After getting the country code or country name of the victim machine, the malware checks some country codes and a country name. In case of the country name, if the name is matched with the victim machine’s country name, the malware terminates itself. What is the country name it checks with the victim system?
17. As an anti-debugging functionality, the malware checks if there is any process running where the process name is a debugger. What is the debugger name it tries to check if that’s running?
18. For persistence, the malware writes a Registry key where the registry key is hardcoded in the malware in reversed format. What is the registry key after reversing?
19. The malware sets a scheduled task. What is the Run Level for the scheduled task/job it sets?
No responses yet