Press enter or click to view image in full size
Hi, I’m glad to share with you my writeup for solving 3/4 DFIR challenges in IEEE (Mansoura Student Branch) VICTORIS 4.0, Authored by EGCERT
Press enter or click to view image in full size
You can read this writeup on my GitBook account Link
after extracting the downloadable image, i got soo lucky tbh that my AVG antivirus caught 2 exe files as malicious filessystem_patch.exe andnotepad++.exe
Press enter or click to view image in full size
thanks to AVG it helped me a lot, without digging or investigating each file or directory, we only to investigate these 2 malicious file paths, so let’s go.
first file deserve to investigate is system_patch.exe in C:\ProgramData\sysbackup\ directory:
by reading this powershell file “watchdog.ps1”, we can understand that the script backs up the real notepad++.exe, drops a fake executable (system_patch.exe) in its place, and then runs an endless watchdog that checks every 10 seconds. If the target file gets changed back to the original or anything else, the script copies the fake back effectively forcing the fake binary to stay in place.
At the top it tries to add Windows Defender exclusions for the backup folder, notepad++.exe, and the fake process so antivirus might ignore those files.
with easy investigation on the system_patch.exe , run the most powerful tool “strings” , or reading hex data of the file, we can get the hidden flag.
after extracting log files, we can see there’s 3 log files in 3 consecutive days.
since he needs the last web-shell the attacker used, so this web-shell is 100% uploaded to the server, so it’s a POSTrequest on last day (25–02–2022)
viewing all POST request from bottom to top to get the last one
Get Loay Salah’s stories in your inbox
Join Medium for free to get updates from this writer.
we can see .aspx have been uploaded to the/UploadedFiles/Gallery/ web directory, full path https://victim.com/UploadFiles/Gallery/48339184-4185-4891-8369-0e1bfba1c12c1337.aspx
Press enter or click to view image in full size
48339184-4185-4891-8369-0e1bfba1c12c1337.aspxinvestigating the disk image, we can see there’s a deleted files in the recycle bin. (unrecoverable zip file, and text file with path as follows)
Press enter or click to view image in full size
This Downloadsdirectory is not found directly, so we need to investigate the $MFTfile with MFTExplorer , we can find “14” text files, order them by last modified files, we can see that txt file, ceo info.txt
Press enter or click to view image in full size
we can view the file data normally as it’s in the file resident data.
or make from hex to the resident data section using CyberChef
Press enter or click to view image in full size
Congrats to all teams! our team Blue0ps secured 5th place in the competition. We may have missed the podium, but we’re motivated to push even higher next time.
Press enter or click to view image in full size