Suninatas Game 29

Posted on Edited on In Views: Disqus:

challenges

Game 29

This challenge is a forensic incident response scenario with four answers (Q1-Q4) and a final auth hash.

Given artifact:

1
2
$ file 'Windows7(SuNiNaTaS)'
Windows7(SuNiNaTaS): EGG archive data, version 1.0

EGG is an ALZip archive format. I extracted it in a Windows guest (Bandizip), then analyzed the VM artifacts from Linux.

Extracted files include:

  • Windows 7.vmdk (disk)
  • Windows 7-Snapshot2.vmem (memory)

Environment setup used

1
2
3
4
5
6
# mount Windows disk read-only
$ sudo guestmount -a "Windows 7.vmdk" -m /dev/sda1 --ro /mnt/win

# memory analysis
$ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.pslist
$ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.cmdline

Q1: Fix broken www.naver.com and recover key

hosts was tampered:

1
2
3
4
5
6
$ cat /mnt/win/Windows/System32/drivers/etc/hosts
...
121.189.57.82    naver.com
121.189.57.82    www.naver.com
...
# C0ngr4tur4ti0ns!! This is a Keeeeeeeeeeey : what_the_he11_1s_keey

Q1 key:

1
what_the_he11_1s_keey

Q2: Installed keylogger location + filename (lowercase)

From memory process list and command line:

1
2
3
4
5
6
7
8
9
10
$ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.pslist
...
1556  1344  v1tvr0.exe  ...
1564  1344  notepad.exe ...
...

$ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.cmdline
...
1556  v1tvr0.exe  "C:\v196vv8\v1tvr0.exe"
...

Q2 answer:

1
c:\v196vv8\v1tvr0.exe

Q3: Download time of keylogger

I first checked filesystem/MFT timestamps, but they are not the best source for “download time”:

1
2
3
4
5
$ stat /mnt/win/v196vv8/v1tvr0.exe
# shows access/modify/change, no reliable creation/birth here

$ vol -f 'Windows 7-Snapshot2.vmem' -s ./volsym windows.mftscan.MFTScan | grep -i v1tvr0.exe
# MFT timestamps found, but still not direct browser download evidence

Better evidence: Internet Explorer history (index.dat).

1
2
3
4
5
$ find /mnt/win -name 'index.dat' -exec strings -f {} \; | grep -i 'spy-2010-keylogger-surveillance-spy-3.exe'
./Users/training/AppData/Local/Microsoft/Windows/History/History.IE5/index.dat: Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe

$ pasco index.dat | grep -i exe
URL  Visited: training@http://192.168.163.1/files/pc-spy-2010-keylogger-surveillance-spy-3.exe  05/24/2016 03:25:06

Challenge format: yyyy-mm-dd_hh:mm:ss. Original analysis timezone was UTC+8, challenge expected UTC+9, so:

1
2016-05-24_04:25:06

Q4: What did the keylogger capture?

Recovered log snippet (z1.dat):

1
4:37:57  How did you know pAsS\orD? Wow... Kee22 ls "blackkey is a Good man"

Q4 key:

1
blackkey is a Good man

Final Auth Key

Rule:

1
lowercase(md5(Q1_key + Q2_answer + Q3_answer + Q4_key))

Concatenation:

1
what_the_he11_1s_keeyc:\v196vv8\v1tvr0.exe2016-05-24_04:25:06blackkey is a Good man

Result:

970f891e3667fce147b222cc9a8699d4