August 8, 2024
PDFURI tasks us with performing disk forensics and analyzing artifacts with various tools, such as FTK Imager, Event Viewer, PDFStreamDumper, and DB Browser.
Our friend “Dee” was looking for a job in Tanta, but it seems she was hacked by one of the malicious websites, so can you examine her hard drive and find some evidence?
What is the MD5 hash of the malicious document?
Looking around the filesystem we find Application.pdf in the Work user’s Downloads directory.malicious document located in the Downloads directoryWe can get file hash by right-clicking it and selecting Export Hash List. If we open the generated CSV file we will see the MD5 and SHA1 hashes.hashes of the malicious document
What is the domain from which the document was downloaded?
In Windows, a user’s browser data is stored in the AppData folder, so we’ll start by looking there. Digging through the directories, we come across Edge. Like Chrome, the history file is located within Edge’s Default directory along with a file called Login Data.
The full path to the Default directory is: C:\Users\Work\AppData\Local\Micorosft\Edge\Default
After exporting the file we’ll view it with DB Browser for SQLite, where we can see the source of the file.
Note: Switch to the “Browse Data” tab and select the “URLs” table.
What is the email address of the victim?
We see there was a login to gmail in the browsing history but unfortunately, the account name isn’t present.gmail loginsWe discovered a Login Data file earlier though, so we’ll export that and view it in DB Browser for SQLite as well.gmail username found in the Login Data file
What is the command that is executed by the malicious document?
One of the tools provided for this challenge is PDFStreamDumper, so we’ll see what we can find with it. Looking through the results we see obfuscated commands and powershell executionencoded powershell command found in the PDFBy decoding the base64 string we can see that the command modifies the registry.the powershell command decodedNote: the answer is the command in its encoded form.
Seems the PC username changed to another one. Can you identify the new Username?
The Windows Security event log captures account changes, so we’ll start our search there.
First, we’ll need to export the Security.evtx file and open it in Event Viewer.
The full path to security.evtx is: C:\Windows\System32\winevt\Logs
Note: To make finding the appropriate logs easier it helps to sort the Logs directory by size since many of the logs are empty.
The Event ID for account changes is 4738, so we’ll filter for that and start looking through the results.
Note: You can read more about Event ID 4738 here: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4738
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4738
Looking through the results we can see that the Work account was changed to Sl3awy. We can be sure that this is indeed the same account by observing the TargetAccount’s SID, which matches Work’s.details of the event show the new account name
Previous post
Next post