TryHackMe — Advent of Cyber 2 — Day 23
Good afternoon everyone,
Today we are tackling another challenge in the Blue team saga. Reading through, it looks like we are dealing with some sort of ransomware and shadow copy HDD volumes. We shall see, today’s intro:
“The mayhem at Best Festival Company continues. McEager receives numerous emails and phone calls about a possible ransomware attack affecting all the endpoints in the network. McEager knows that the endpoints which are infected with the malware don’t have any backup copies but luckily on his workstation he has backups enabled.”
When we open the RDP connection, we are presented with a ‘This is fine’ wallpaper and a RansomeNote text document.
Right away, it looks like the Bitcoin address is Base64 encoded. Which brings us to Question 1: Decrypt the fake ‘bitcoin address’ within the ransom note. What is the plain text value?
Question 2: What is the file extension for each of the encrypted files?
So let’s take a look inside of the Documents folder. So we have some generic Windows files/folders but also a hidden confidential folder.
The database text file just says “Oh, no. Its missing again!” but if we get into the vStockings folder, we can see that the Grinch has added his own file extensions to the files.
Onto Question 3: What is the name of the suspicious scheduled task?
Let’s open task scheduler and take a look. From inside the Task Scheduler Library we can see the scheduled tasks…
So, lets take a look inside the “opidsfdf” task, that one doesn’t seem to appear normal… When triggered it will start the “opidsfsdf.exe” file on the desktop.
Now, if we wanted to, we could put into a reverse engineering framework and see what it does. and we might if I get some time later today. But for now, we have answered that question. This will also answer our next Question about what file does the task run.
Question 5: There is another scheduled task that is related to VSS. What is the ShadowCopyVolume ID?
Easy enough, let’s take another look at the tasks and look for the Volume ID.
Question 6: Assign the hidden partition a letter. What is the name of the hidden folder?
From here, we can open the Disk Management utility. From here we can see there is an Disk2 without a drive letter. So, we can should be able to just right click the Disk and assign any letter, that isn’t taken, to it. I assigned it to D: . anyway we can see the hidden folder is the confidential folder we had seen previously in the Documents folder.
Question 7: Right-click and inspect the properties for the hidden folder. Use the ‘Previous Versions’ tab to restore the encrypted file that is within this hidden folder to the previous version. What is the password within the file?
So, I want to try and see if we can do this from Powershell. Below we can see both files have the “encrypted” version on the drives. But from the question context we can determine the D: drive copy has a previous we can revert to.
If we do a Get-Content on each of the files, we get:
So, we don’t actually have to revert the file it appears. We got the master password without having to revert.
Since this machine didn’t actually take too long. I will grab the .exe file and move to my local machine to do another blog on the reverse engineering of the file and we can see what we get.
As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.
Until next time,
-3lduderino
