You are currently viewing Sukana (Retired Investigation)

Sukana (Retired Investigation)

Scenario – Desi Sukana is an aspiring DFIR Analyst. These are professionals who gather and investigate vast amounts of data to fill in gaps in information about cyber attacks. He garnered this interest after witnessing his father pass in a tragic accident. His father, Drake Sukana, fell victim to a data breach that compromised his personal information including salary, location, marital status, etc. The attacker used that information to send robbers to his domicile in the United States. He faithfully defended his household but could not survive the injuries. After the funeral, Mrs. Sukana (Desi’s mom) took him and moved to Sydney, Australia — her home country. Fueled by the passing of his father and strange environment, Desi rigorously pushed through his college classes and independent studies to not only gain the skills needed to solve his father’s murder but also to find gainful employment.Mr. Sukana was the breadwinner in the family while Ms. Sukana was the housewife. The life insurance payout from his death provided Desi and his mother to live 4 years without having a job — that same payout ends in two months. Mrs. Sukana has no employable skills in the market to afford the high rent in Bellevue Hill. She is placing her bets on Desi to land a job within the cybersecurity field – specifically DFIR.Desi currently holds a Bachelor of Science in Computer Forensics, GHFI, and GCFA. He runs a DFIR Discord, Podcast, and hosts CTFs. Despite this killer portfolio, he is struggling to break into the field of cybersecurity as a recent grad. He still deals with depression from his father’s passing 4 years ago. He has two service dogs called Moxie (a human lover) and Waffle (a wild barker) for support. On his recent dog walk, he met the opportunity of a lifetime.He met Kurt Hansen in a local dog park. Kurt is the CEO of Tesserent, Australia’s largest listed cybersecurity company. Moxie and Waffle were doing a canine freestyle that gathered a public crowd — especially Kurt. Desi, knowing his status within the country, used the opportunity to sell himself and explain his interest in DFIR. Kurt was impressed with his background and passed his information along to his cybersecurity department.A week later, Desi had an interview with the DFIR team at Tesserent. It went extremely well. He made it to the final stages after some behavior assessments and an introduction call with the team. His final round consisted of an Online Assessment (OA). He has been provided with the KAPE output and a memory dump of an infected Windows machine. Some extra context was provided in the OA like the email conversation with the victim and a malware report. If Desi passes this OA, he will be presented with a DFIR Analyst Role with a starting salary of $120,000. This will allow him to afford rent in Bellevue Hill, get more treatment for his depression, and take care of his mother. Will he pass the 19-question OA is it up to you? You have 24 hours, Desi. Good luck!

  • [ ] 1-Q1) What is the SHA256 hash value for the malware file? (Format: SHA256)(1 points) a879d2c1608c4b5cf801c2ab49b54b4139aa13f636fc6495fcaf940591713905 gathered from the malware report pdf file
  • [ ] 2- Q2) What is the file size of the malware in bytes? (Format: XXXXXX)(1 points)
    445485
    from the cisco talos report from the next question
  • [ ] 3- Q3) Utilizing Cisco Talos, what is the “Cisco Secure Endpoint Detection Name” for the given malware? (Format: Name)(1 points)
    W32.Auto:a879d2.in03.Talos
    from the cisco talos report
  • [ ] 4- Q4) Utilizing Cisco Talos, what is the file reputation of the given malware? (Format: String)(1 points)
    Malicious
    from the cisco talos report
  • [ ] 5- Q5) With Windows Defender enabled, launch the malware. What is the name of the threat according to Microsoft Defender Antivirus? (Format: Name)(1 points)
    VirTool:Win32/PoshC2.G
    ** You can check if Defender is running on your Windows device in below settings, 1. Click the Start button, then type Windows Defender Security Center. 2. Open Windows Defender Security Center, then select Virus & threat protection > Threat settings. 3. Turn Off/ On Real-time protection.*
    Then just copy the results
  • [ ] 6- Q6) What scripting language is this C2 Framework primarily written in? (Format: Language)(1 points)
    Python
    Obtained from just google “VirTool:Win32/PoshC2.G” and using the att&ck link!
  • [ ] 7- Q7) What was the sending email address in question? (Format: mailbox@domain.tld)(1 points)
    secretsociety2023@protonmail.com
    Obtained from Email – TurnOffAV&Run.eml
  • [ ] 8- Q8) What is the email subject name? (Format: Subject)(1 points)
    TurnOffAV&Run
    **Obtained from Email – TurnOffAV&Run.eml
  • [ ] Q9) Utilize CyberChef. After uploading the Base64 contents of the email into CyberChef, what is the defanged output of the href? (Format: hxxps[://]domain[.]tld/)(1 points)
    hxxps[://]proton[.]me/
    just follow the steps, then look for ‘href’ and then defang the url
  • [ ] Q10) A memory dump is a snapshot of a computer’s memory that contains data about any running processes at the time the capture was taken. What is the size, in GB, of the memory dump of the infected Windows machine? Round to the nearest hundredth (Format: X.XX)(1 points)
    5.37
    it is from the ‘VictimMemory.raw’ file, just rick lick and properties
  • [ ] 11- Q11) Utilize Volatility. Looking at the network connection of the memory dump, what is the ISP for the frequent foreign address ending in .181? (Format: ISP)(1 points) .\vol.exe -f ….\BTLO-Sukana\Investigation\VictimMemory.raw windows.netstat.NetStat
    It worked on the walkthrough, but for some reason not when I tried. Nevertheless, Once you run the command you will obtain the IP address and then just a quick google search will provide you the ISP
  • [ ] Q12) On the topic of Volatility, what kind of digital evidence does it analyze from computers. Keep in mind, this volatile memory very common within computers (Format: XXX)(1 points)
    ram
    theory
  • [ ] Q13) Utilize Wireshark. What is the destination port for the Network IOC on the Intezer File Scan Report? (Format: Port)(1 points) 443
    ip.addr == 13.42.49.148 in Wireshark and then under TCP (layer 4) you can see the destinatio port #
  • [ ] 14- Q14) According to the Intezer File Scan Report, what is the MITRE ID and severity for the first TTPs? (Format: TXXXX, Severity)(1 points) T1055, HIGH Combination of pdfp report and google search for the ‘module path + TTP technique’
  • [ ] 15 – Q15) Utilize Timeline Explorer. Let us look at the related sample CSV file we got from Intezer. This is an additional file sample known to be related to the main sample. When was this Generic Malware first seen? (Format: XXX, XX Month YYYY HH:MM:SS XXX))(1 points)
    Fri, 08 May 2020 02:39:58 GMT
    just follow the steps
  • [ ] Q16) Using Virus Total, the malware is clearly related to the Trojan family. An adversary may rely upon a user opening this malicious file in order to gain execution. What is the MITRE ID that corresponds to this tactic? (Format: TXXXX.xxx)(2 points)
    T1204.002
    just copy and paste to google ‘An adversary may rely upon a user opening this malicious file in order to gain execution.
  • [ ] Q17) Utilize Timeline Explorer (TE). After using MFTECmd, the command line MFT parser, to upload the CSV $MFT in TE. Locate the FileName (FN) (0x10) creation timestamp for the malware file (Format: YYYY-MM-DD HH:MM:SS)(2 points)
    2023-01-31 09:33:41
    Command run: .\MFTECmd.exe -f ‘C:\Users\BTLOTest\Desktop\BTLO-Sukana\Investigation\C\$MFT’ –csv C:\Users\BTLOTest\Desktop After this, just find ‘scanner.exe’ inside the csv file
  • [ ] Q18) $Boot. As easily guessed, this file is related to the booting process and contains the NTFS boot sector. Utilizing the same process above, find the cluster size (Format: XXXX)(2 points)
    4096
    Command run: .\MFTECmd.exe -f ‘C:\Users\BTLOTest\Desktop\BTLO-Sukana\Investigation\C\$Boot’ –csv C:\Users\BTLOTest\Desktop the answer will show in the powershell screen, but also a csv file was generated
  • [ ] Q19) With the last answer in mind, we can tell the victim’s drive is quite large. If this was a legacy system, what sector size, in bytes, would be required to boot the system? (Format: XXX)(2 points)
    512
    just google search ‘waht was the sector size in legacy systems’
  • [ ] Q20) Utilize Autopsy. We are going to examine another memory dump provided by Sam Bowne, an instructor at City College San Francisco. This will give us more practice with the tool. What is Waldo’s password? (Format: Password)(2 points)
    Apples123
    follow the instructions, then under console: From the Autopsy menu bar, click Tools, Plugins. Click the Installed tab.Check the box next to “Experimental”, as shown below. Click the Activate button. Click the Activate button. Click the Finish button,In the Plugins window, click the Close button.From the Autopsy menu bar, click Case, “New Case”.Enter a case name of memory, click next click finish