💡

This write-up is a part of the HTB Sherlocks series. Sherlocks are investigative challenges that test defensive security skills. I encourage you to try them out if you like digital forensics, incident response, post-breach analysis and malware analysis. Are you ready to start the investigation?

Incident Details

Name: Noted
Category: DFIR
Difficulty: Easy (Solved)

Simon, a developer working at Forela, notified the CERT team about a note that appeared on his desktop. The note claimed that his system had been compromised and that sensitive data from Simon's workstation had been collected. The perpetrators performed data extortion on his workstation and are now threatening to release the data on the dark web unless their demands are met. Simon's workstation contained multiple sensitive files, including planned software projects, internal development plans, and application codebases. The threat intelligence team believes that the threat actor made some mistakes, but they have not found any way to contact the threat actors. The company's stakeholders are insisting that this incident be resolved and all sensitive data be recovered. They demand that under no circumstances should the data be leaked. As our junior security analyst, you have been assigned a specific type of DFIR (Digital Forensics and Incident Response) investigation in this case. The CERT lead, after triaging the workstation, has provided you with only the Notepad++ artifacts, suspecting that the attacker created the extortion note and conducted other activities with hands-on keyboard access. Your duty is to determine how the attack occurred and find a way to contact the threat actors, as they accidentally locked out their own contact information.

Evidences

All evidence files are marked as readonly right after acquiring and their hash is written down. Read-only attribute does not affect the hash of a file.

01: ZIP archive file

$ Noted.zip
0f4628bc37d275178158aa108db8231b15435b79d76230a620c046d9129eaef7

File structure after unzipping:

$ config.xml
85c58374d83d1f47f089ff2fded34958d555c4fa3d2bce3fe50d60865cf05c22
$ session.xml
ebd010709f828e1239e24df5c020e84ba66d3082a523ff399c135b9d2aec96bb
$ LootAndPurge.java@2023-07-24_145332
57177080cac6e0a4ee0f10bc80587b28ac6d2fb38be417711a28b52a7a229523
$ YOU HAVE BEEN HACKED.txt@2023-07-24_150548
3700b7dc69d0f8570485bf8b5a4c4f7f84abcd722dcb7addc609129e418e932e

Analysis

both pastes.io and pastebin.com contain same message.

Password protected

Wow that's quite a lot - is it an address of some kind of cryptocurrency market?

Questions

What is the full path of the script used by Simon for AWS operations?

config.xml

The attacker duplicated some program code and compiled it on the system, knowing that the victim was a software engineer and had all the necessary utilities. They did this to blend into the environment and didn't bring any of their tools. This code gathered sensitive data and prepared it for exfiltration. What is the full path of the program's source file?

session.xml

What's the name of the final archive file containing all the data to be exfiltrated?

LootAndPurge.java

What's the timestamp in UTC when attacker last modified the program source file?

session.xml

Great thread on how to decode those values.

This one is really hard in comparison to other questions :P

>>> (31047188 << 32) | (-1354503710 & 0xFFFFFFFF)
133346660033227234

Then use the epoch converter to get the right time.

The attacker wrote a data extortion note after exfiltrating data. What is the crypto wallet address to which attackers demanded payment?
What's the email address of the person to contact for support?

Both answers in the pastebin note.

Data Recovery

Not needed.

Lessons Learned

How Notepad++ stores timestamps

Additional readings

NIST Computer Security Incident Handling Guide

HTB Sherlock: Noted

Table of contents