English [Cybercamp 2015] [Forense 4.2] Write Up

Description

There was an intrusion for some time and from this computer seems to have downloaded malicious programs to do a DDoS from this pc.

Download

Question: In recent documents there is a keylogger in zip format. How is it called?

Resolution

We mount the 2 files into REGEDIT as seen in Forense 4.1.
Recent documents are stored under this path:
HKEY_USERS\FORENSIC_NTUSER.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

There are 2 values here, but only the first one contains *zip*:
00000 72 00 65 00 61 00 6C 00 66 00 72 00 65 00 65 00 r.e.a.l.f.r.e.e.
00010 6B 00 65 00 79 00 6C 00 6F 00 67 00 67 00 65 00 k.e.y.l.o.g.g.e.
00020 72 00 2E 00 7A 00 69 00 70 00 00 00 7C 00 32 00 r...z.i.p...|.2.
00030 00 00 00 00 00 00 00 00 00 00 72 65 61 6C 66 72 ..........realfr
00040 65 65 6B 65 79 6C 6F 67 67 65 72 2E 6C 6E 6B 00 eekeylogger.lnk.

SHA256(realfreekeylogger.zip) : a10832568b2220010a798a4e7ab4e5cd00e77f33bad2176ec0942646e9d45b70

Flag is a10832568b2220010a798a4e7ab4e5cd00e77f33bad2176ec0942646e9d45b70

Leave a Reply

Your email address will not be published. Required fields are marked *