Oski Lab | CyberDefenders WriteUp

SolveniteSolvenite
3 min read

Scenario:

The accountant at the company received an email titled "Urgent New Order" from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file?

Here’s the link to the lab: https://cyberdefenders.org/blueteam-ctf-challenges/oski/

1. Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?

Take the MD5 Hash and throw it into VirusTotal

Go to Details → Scroll down to History

Answer: 2022-09-28 17:40

2. Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?

On the same page, go to the Relations tab.

Answer: http://171.22.28.221/5c06c05b7b34e8e6.php

3. Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?

Go to ANY.RUN and run the hash to get a report.

Here’s the report for reference: https://app.any.run/tasks/d55e2294-5377-4a45-b393-f5a8b20f7d44

In the HTTP requests section, we can see that the first library this malware calls for is sqlite3.dll

Just to confirm, click on the AI summary button. We can see that the first library it requests for in that list is the same one.

Answer: sqlite3.dll

4. Upon examining the malware, it appears to utilize the RC4 key for decrypting a base64 string. What specific RC4 key does this malware use?

On ANY.RUN, press the MalConf button to get thr RC4 key.

5. Identifying an adversary's techniques can aid in understanding their methods and devising countermeasures. Which MITRE ATT&CK technique are they employing to steal a user's password?

Press the ATT&CK button and keep looking until you find Credential Access.

Click Password from Credential Stores to get the MITRE ATT&CK technique.

Answer: T1555

6. Malware may delete files left behind by the actions of its intrusion activity. Which directory does the malware target for deletion?

Go back to the main page and click on cmd.exe from the Processes list.

We can see here that it executes a command which deletes from C:\ProgramData and then exits.

Answer: C:\ProgramData

7. Understanding the malware's behavior post-data exfiltration can give insights into its evasion techniques. After successfully exfiltrating the user's data, how many seconds does it take for the malware to self-delete?

Again, the answer can be found in the same tab.

/t 5 => 5 seconds

Answer: 5

0
Subscribe to my newsletter

Read articles from Solvenite directly inside your inbox. Subscribe to the newsletter, and don't miss out.

cyberdefenders#cybersecuritycybersecurityCyberSeccyberCTF WriteupWriteup#walkthrough#WalkthroughsVirustotalSecurity

Written by

Solvenite
Solvenite