Scenario :
One of our employees attempted to install a Python package, and shortly afterward, someone logged into his work account. He doesn’t know how it happened and needs your help as a forensics investigator to determine what occurred.
File Location:
C:\Users\LetsDefend\Desktop\ChallengeFile\MalPy.zip
Category : Endpoint Forensics
Level : Hard
Q1-The attacker downloaded a malicious package. What is the full URL?
Lets Check The Web Browser Download History:
Google Chrome:
- File path:
C:\Users\<User>\AppData\Local\Google\Chrome\User Data\Default\History - You can extract download history using SQLite from this file.
Mozilla Firefox:
- File path:
C\Users\<User>\AppData\Roaming\Mozilla\Firefox\Profiles\<Profile>\places.sqlite - The download history is stored in
places.sqlite, which can be opened using an SQLite viewer.
Microsoft Edge:
- File path:
C:\Users\<User>\AppData\Local\Microsoft\Edge\User Data\Default\History
So Lets Check Chrome Download History
- Go to
C:\Users\<User>\AppData\Local\Microsoft\Edge\User Data\Default\History - Open this file using SQLite viewer :
- Now go to Browse Data > urls , you will get the answer :
The Answer : https://github.com/0xMM0X/pelotonQ2-What is the name and version of the downloaded package?
Answer Format: package-name111:0.0.01
- Now Go to the malicious package Link above and go to PKG-INFO :
The Answer : peloton-client123:0.8.10Q3-What is the exact time that this package was downloaded?
- Now Lets Parse $MTF Using Tools like MFTECmd (from Eric Zimmerman’s suite)
The $MFT (Master File Table) is a key component of the NTFS (New Technology File System) used by Windows operating systems. It functions as a detailed index of all files and directories stored on an NTFS-formatted volume. Each file, directory, or metadata object on an NTFS file system has a corresponding record in the $MFT, which stores critical information about the object, such as:
File name and attributes (e.g., timestamps, permissions)
Location of file data on the disk
Size of the file
File system flags (such as whether it's a system or hidden file)
Metadata associated with the file (e.g., alternate data streams)
- Now open the CSV File Using a Tool like TimeLine Explorer and search with package name :
The Answer : 2024-01-22 20:00:11Q4-What file in the package contains malicious code?
- From GitHub repository from Q1 :
The Answer : setup.pyQ5-What was the name of the archive file created for exfiltration and then deleted?
- Now Let’s parse Journal files using a Tool like MFTEcmd.exe
Journal files (or file system journals) are logs maintained by modern file
systems to track changes made to the files on the disk. They serve as a
record of file system activity, allowing recovery after a crash or
failure by replaying logged changes. These logs are crucial for
maintaining file system integrity and are often used in
forensic investigations to understand file system behavior.
- Now open the file using TimeLine Explorer :
The Answer : temp_file.zipQ6-When did the zip file get deleted?
- Easy one, Just search with zip file name in the CSV file :
The Answer : 2024-01-22 20:00:42Q7-What exactly did the attacker steal from the victim’s machine? (Name of the file)
- Now Let’s Deobfuscate the malicious file using cyberchef.
The Answer : Login DataQ8-The stolen file contains some sensitive data. What is the full URL of the website and the victim’s username?
- Now We need to analysis “Login Data” file that the attacker Stole
The Login Data file in Google Chrome stores user credentials
(such as usernames and passwords) for websites where the
user has opted to save login information. This file
is part of Chrome's autofill feature and is stored in an
SQLite database format.- You can find this File in that location :
C:\Users\<YourUsername>\AppData\Local\Google\Chrome\User Data\Default\Login Data
The Answer : https://app.letsdefend.io/_all4mQ9-What is the IP and PORT number of the attacker C2?
First Method :
From Q7 and after Deobfuscate the code :
Second Method :
Upload the malicious code in VirusTotal to do Dynamic analysis :
The Answer : 172.31.78.151:8000The END
BY : Ahmed Nasser
