Joon-hyeok asked Seong-joon to repair PC After repairing, Seong-joon did something to PC You should fix this PC.
Q1 : When you surf "www.naver.com", Web browser shows something wrong. Fix it and you can find a Key Q2 : Installed Keylogger's location & filename(All character is lower case) - ex) c:\windows otepad.exe Q3 : Download time of Keylogger - ex) 2016-05-27_22:00:00 (yyyy-mm-dd_hh:mm:ss) Q4 : What did Keylogger detect and save? There is a Key
Auth Key = lowercase(MD5(Key of Q1+Answer of Q2+Answer of Q3+Key of Q4))
❯ file 'Windows7(SuNiNaTaS)' Windows7(SuNiNaTaS): EGG archive data, version 1.0
EGG file (.egg) is a compressed archive file format developed by
ESTsoft primarily for their ALZip software, commonly used in South
Korea. It acts similar to a .ZIP file but offers superior Unicode
support and efficient compression, frequently used for distributing
large files,, and supports split volumes.
~/Downloads/Windows7(SuNiNaTaS) ❯ la total 8.0G drwxr-xr-x 1 kita kita 28 Feb 15 14:08 caches/ -rw-r--r-- 1 kita kita 2.0M May 24 2016 vmware-0.log -rw-r--r-- 1 kita kita 384K May 24 2016 vmware.log -rw-r--r-- 1 kita kita 53M May 24 2016 'Windows 7-000001.vmdk' -rw-r--r-- 1 kita kita 8.5K May 24 2016 'Windows 7.nvram' -rw-r--r-- 1 kita kita 1.0G May 24 2016 'Windows 7-Snapshot2.vmem' -rw-r--r-- 1 kita kita 2.1M May 24 2016 'Windows 7-Snapshot2.vmsn' -rw-r--r-- 1 kita kita 6.9G May 24 2016 'Windows 7.vmdk' -rw-r--r-- 1 kita kita 445 May 24 2016 'Windows 7.vmsd' -rw-r--r-- 1 kita kita 3.2K May 24 2016 'Windows 7.vmx' -rw-r--r-- 1 kita kita 4.6K May 24 2016 'Windows 7.vmxf'
~/Downloads/Windows7(SuNiNaTaS) took 30s ❯ sudo guestmount -a "Windows 7.vmdk" -m /dev/sda1 --ro /mnt/win
❯ sudocat /mnt/win/Windows/System32/drivers/etc/hosts [sudo] password for kita: # Copyright (c) 1993-2009 Microsoft Corp. # # This is a sample HOSTS file used by Microsoft TCP/IP for Windows. # # This file contains the mappings of IP addresses to host names. Each # entry should be kept on an individual line. The IP address should # be placed in the first column followed by the corresponding host name. # The IP address and the host name should be separated by at least one # space. # # Additionally, comments (such as these) may be inserted on individual # lines or following the machine name denoted by a '#' symbol. # # For example: # # 102.54.94.97 rhino.acme.com # source server # 38.25.63.10 x.acme.com # x client host 121.189.57.82 naver.com 121.189.57.82 www.naver.com # # # C0ngr4tur4ti0ns!! This is a Keeeeeeeeeeey : what_the_he11_1s_keey # # # localhost name resolution is handled within DNS itself. # 127.0.0.1 localhost # ::1 localhost
# get wrong time, need time of Birth [root@kita233 v196vv8]# stat v1tvr0.exe File: v1tvr0.exe Size: 1594368 Blocks: 3120 IO Block: 4096 regular file Device: 0,81 Inode: 109 Links: 1 Access: (0777/-rwxrwxrwx) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2016-05-24 03:26:09.330498800 +0800 Modify: 2010-07-07 06:50:09.109375000 +0800 Change: 2016-05-24 03:26:09.361698900 +0800 Birth: -
# get MFT (Master File Table), same wrong time ❯ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.mftscan.MFTScan | grep -i "v1tvr0.exe" * 0xe8b38b0100.0FILE 50282 1DB scanFile finArchive FILE_NAME 2016-05-23 19:26:09.000000 UTC 2016-05-23 19:26:09.000000 UTC 2016-05-23 19:26:09.000000 UTC 2016-05-23 19:26:09.000000 UTC v1tvr0.exe
# need to check browser download history # notice user use ie browser, and ie browser store info in index.dat [root@kita233 win]# find . -name "index.dat" -exec strings -f {} \; | grep -i "exe" ... ./Users/training/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat: Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe <- notice spy keylogger ...
URL Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe 05/24/2016 03:25:06 05/24/2016 03:25:06 # need to change time zone to UTC +9, now is UTC +8 2016-05-24_04:25:06
Q4:键盘记录器检测并保存了什么?有一把钥匙
# 4:37:57 How did you know pAsS\orD? Wow... Kee22 ls "blackkey is a Good man" # blackkey is a Good man
Auth Key = 小写(MD5(Q1的密钥+Q2的答案+Q3的答案+Q4的密钥))
what_the_he11_1s_keeyc:\v196vv8\v1tvr0.exe2016-05-24_04:25:06blackkey is a Good man