Q7. Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IPv4 address of the file server?
In my customized logs, it was quite easy to find a file server.
I could see that 192.168.250.100 was consistently connecting to 192.168.250.20 via smb, it was actually the file server:
The answer is 192.168.250.20.
Q8. How many distinct PDFs did the ransomware encrypt on the remote file server?
Firstly, I verified the variety of sourcetypes:
WinRegistry and stream:http were not related to this question, XmlWinEventLog:Microsoft-Windows-Sysmon/Operational only included local files, not files on the remote file server:
The rest contained pdf files that were stored on the remote file server.
I enumerated them using the rex command as follows:
The answer is 257.
Q9. The VBscript found in question 204 launches 121214.tmp. What is the ParentProcessId of this initial launch?
I simply conducted a literal search for 121214.tmp:
Then, I added a condition where EventDescription is Process Create and the current image is 121214.tmp:
It had run by cmd.exe, and the PID of cmd.exe was 1476.
With the identical approach, I found the PID of the initial infection VB script 20429.vbs.
The answer is 3968.
Q10. The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?
I wasted a lot of time understanding the meaning of Bobsmith's Windows profile.
Initially I thought it refered to the account name on the remote file server, but that was entirely wrong.
In fact Bobsmith's Windows profile was the account name on the compromised we8105desk host.
The next step was more clear. In the XmlWinEventLog:Microsoft-Windows-Sysmon/Operational logs, when setting the EventDescription type to File Create Time value, a file_path field appeared, indicating the location where a created file was saved.
I simply set the file_path to include c:\bob.smith.WAYNECORPINC\*.txt, and counted the numer of distinct file_path:
The answer is 406.
Q11. The malware downloads a file that contains the Cerber ransomware cryptor code. What is the name of that file?
The answer to this question has been previously obtained in the Question 4.
The answer is mhtr.jpg.
Q12. Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?
The score for this question was whopping 2000 points.
Undoubtedly, I believed its difficulty level would be terribly challenging, so I struggled to obtain the binary of mhtr.jpg to verify the obfuscation technique by analyzing it.
However, I couldn't find any ways to accomplish that; I only managed to obtain limited information about mhtr.jpg on Virus Total:
XOR Cipher is also commonly used for obfuscation; nonetheless, it was the wrong answer.
Conculsively, the answer was so simple, I found it through a Google Search:
(It left me feeling disappointed.)
The answer is steganography.
