| CTF | CyberCon Preliminaries 2022 |
|---|---|
| Date | 24th-25th September, 2022 |
| Platform | CyberSpace CTFRoom |
Browser & Blockchain Forensics
~Author: OSTE
In this investigation, you will be analyzing data retrieved from web browsers to determine how a malware infection began. An employee has visited a malicious site and downloaded a malicious program to their system, which began compromising system security by disabling security features. This ations were captured by the SOC team. They We are unsure of the variant of malware that has hit the organization, but it spread to 4 other systems before we were able to contain it. We were able to acquire key browser files via BHC, we need your skills to analyze them and discover the malicious site that hosted the malware so we can take defensive measures and block it. We can also work with our threat intelligence team to inform other organizations about the malicious domain and IOCs you’ll discover. We have constructed a report, and need you to collect evidence to be able to answer the questions presented.
Challenge Creation.
I spin my windows forensics/test lab and browsed around to gather enough data for analysis later. I also intentionally visited a malicious live url to download a piece of malware for analysis later.
I then used a tool by Foxton Forensics called Browser History Capturer to easily capture web browser history from a Windows computer. The tool can be run from a USB dongle or via a Remote Desktop connection to capture history from Chrome, Edge, Firefox and Internet Explorer web browsers as shown in the screenshot below:
For analysis, i will be foussing on another awesome tool by Foxton, Browser History Examiner, to analyse and report internet history from the main desktop web browsers. It can assist in various digital investigations such as civil & criminal digital forensics cases, security incidents, human resources investigations and general employee activity reporting.
However, i should mention that this is a paid product but they allow you to download a free trial with no time limits, it includes all features but shows 25 records per data type.😫
All you need to do is load the history (artifacts we gathered using BHC as shown:
One its done processing , data will be sorted/categorized as shown in the highlighted pane on the left.
On the right, we have an advanced filtering option where you can find relevant data faster using a variety of filters such as keywords and date/time range.
At the bottom, we have the Website Activity Timeline which identifies peaks in internet activity using the interactive timeline.
Another great tool Foxton offers is Browser History Viewer, a forensic software tool for extracting and viewing internet history from the main desktop web browsers. Its more or less similar to BHE but with less funtionalities but display all records per data type as oppossed to BHE which displays 25 records
Load the captured artifacts as shown below:
One the history is loaded, you’ll get the following view.
The first active tab on the top left is the Web History and displays the URLs & Dates Visited, number of visits alongside the Web Browser used and the relevant profiles found. For this analysis, there are about 202 records found.
Moving on, we have the second tab, Cached Images which displays cache images , url loation they were fetched from and dates alongside the Web Browser(Profile) info.
Challenge Questions
1. Users in the organization are encouraged not to save passwords on their browsers. However the user has a common email address and password used on several platforms. With that in mind, the user created a pastebin and locked the paste. Can you retrieve the contents of the paste?
Applying pastebin as our filter, we get a link to the paste created, https://pastebin.com/3i48shgE . However, its password protected.
Inspecting the form history data we get the password used : jstar1337
Visiting the link we found earlier and try use the password retrieved, we get the flag:
Flag ccke{11221e90758526cf7249771fee28ab54}
2. The company has a policy against employees visiting social media on corporate devices. What sites has the employee visited, listed alphabetically?
A couple of friends DM’d me in regard to this question to enquire if some platforms like exploit.in , hackforums.net , 4chan, evilzone.org are social media sites. Unfortunately, this are forumns 😢. Social media sites present on the artifacts were:
ccke{reddit, twitter}
3. Between 09/14/2022 12:59:23 - 09/14/2022 13:04:15 , the user visited a malicious site and downloaded the executable attached. Provide the full URL visited by the user and determine the common name of the malware (Google is your friend).
Looking at the downloaded artifacts, with the given time range, we get a hit to http://185.215.113.66/tpeinf.exe. ( first part of the flag)
Since you are provided for with the suspicious executable, we can confirm if the file is indeed an executable by running file command.
We can also confirm the HEX Magic Bytes by using the xxd command as shown below. We can also get the hash values of the executable so that we can use to find relevant info from public threat feeds and databases.
The next series of steps you’d have taken was perform some Crowdsourced intelligence. Starting with VirusTotal we get hits to a malware called Phorpiex.
Other sources:
Phorpiex is a worm which spreads via removable drives and network drives. Some Phorpiex variants will also download additional malware such as cryptominer and execute them. Its an old threat known for its sextortion spam campaigns, crypto-jacking, cryptocurrency clipping and ransomware spread
If you wanna read more about the same, i’d suggest you read the following:
- Microsoft 365 Defender Threat Intelligence Team. (2021, May 21). Phorpiex morphs: How a longstanding botnet persists and thrives in the current threat environment. Microsoft Security Blog
- Phorpiex botnet is back with a new Twizt: Hijacking hundreds of crypto transactions. (2021, December 27). Check Point Research
- Phorpiex botnet returns with new tricks making it harder to disrupt. (2021, December 16). BleepingComputer
ANSWER: ccke{http://185.215.113.66/tpeinf.exe,Phorpiex}
4. By performing some static analysis on the binary provided, there are several crypto wallets hard coded in it. With some OSINT , we suspect one of the Ethereum Wallets might be linked to some Nigerian Scammer. Can you find his twitter handle and the the transaction hash for the last transation he conduted on (Aug 27, 2022 7:14 PM UTC)
Running strings on the malicious binary, we find a ton on crypto wallets.
However, Doing some OSINT/Blockchain forensics (i dunno) we come across a twitter post , where a user @Wale57195907 has made a comment in some ETH related tweet.
0xb899fC445a1b61Cdd62266795193203aa72351fE
With that in mind, we can use a platform like Blockchair to look into basically any kind of crypto addresses.
Looking at the transaction conducted on the specified date, (Aug 27, 2022 7:14 PM UTC), we get the transaction hash 0x9c3e5e624bb8d086826083cee567bdc08be71898e66546f1fc7d6e85e268c584
BTW Blockchair is the first blockchain explorer which incorporates a multitude of different blockchains into one search engine. Super awesome stuff!
We can also use Etherscan’s site to get the same info.
Flag ccke{@Wale57195907,0x9c3e5e624bb8d086826083cee567bdc08be71898e66546f1fc7d6e85e268c584}
5. What was the C2 Server’s callback URL?
Scrolling further on the strings, we get some potential C2 callback URL’s
Flag: ccke{http://185.215.113.66/twizt/}
Easy Peasy, huh 😅