English [Cybercamp 2015] [Forense 2.5] Write Up


The company of Mr. Garcia has been robbed of 74,300€ from his bank account. The theft was committed without the knowledge of Mr. García or people in charge of IT.

Some of the money has been retrieved thanks to the speed of the bank to block the target account, but Mr. Garcia is determined to know how this unfortunate incident occurred, as he invested in forming security technicians and purchasing a perimeter antivirus solution for workstations.

After the incident, we have been asked to do a forensic analysis of the machine, but unfortunately these devices have been handled incorrectly and have no value for our review. Fortunately the system administrator, before the network failure, (do not know if caused by the incident) got a file with network traffic of the same day as the theft of bank accounts.


Question: What SHA256 hash, has the program downloaded?
Answer format: SHA256 of SHA256 hash


In Wireshark, we can dump all HTTP objects.
To do so: File / Export objects / HTTP
Select the sp.exe file and save it.

sha256(content of sp.exe) : 9a73d4bb30e1ad8fb5127952a200d486217e05aec90ede596111d1d3010f4074

sha256(9a73d4bb30e1ad8fb5127952a200d486217e05aec90ede596111d1d3010f4074) : aedc4f7308e27551fa3f9a39fc793cea67e835c4f70c66a684fb72e16538c71f

Flag is aedc4f7308e27551fa3f9a39fc793cea67e835c4f70c66a684fb72e16538c71f

Leave a Reply

Your email address will not be published. Required fields are marked *