The puzzle:
It was a morning ritual. Ms. Moneymany sipped her coffee as she quickly went through the email that arrived during the night. One of the messages caught her eye, because it was clearly spam that somehow got past the email filter. The message extolled the virtues of buying medicine on the web and contained a link to the on-line pharmacy. “Do people really fall for this stuff?” Ms. Moneymany thought. She was curious to know how the website would convince its visitors to make the purchase, so she clicked on the link.
The website was slow to load, and seemed to be broken. There was no content on the page. Disappointed, Ms. Moneymany closed the browser’s window and continued with her day.
She didn’t realize that her Windows XP computer just got infected.
You are the forensic investigator. You possess the network capture (PCAP) file that recorded Ms. Moneymany’s interactions with the website. Your mission is to understand what probably happened to Ms. Moneymany’s system after she clicked the link. Your analysis will start with the PCAP file and will reveal a malicious executable.
Answer the following questions:
1. As part of the infection process, Ms. Moneymany’s browser downloaded two Java applets. What were the names of the two .jar files that implemented these applets?
sdfg.jar , q.jar
2. What was Ms. Moneymany’s username on the infected Windows system?
guid 파라미터에 ADMINISTRATOR라는 것을 알 수 있습니다.
3. What was the starting URL of this incident? In other words, on which URL did Ms. Moneymany probably click?
HTTP 프로토콜로 필터링 하면 /true.php가 보이는 것을 알 수 있습니다.
도메인 주소가 http://www.nrtjo.eu/true.php 라는것을 알 수 있습니다.
4. As part of the infection, a malicious Windows executable file was downloaded onto Ms. Moneymany’s system. What was the file’s MD5 hash? Hint: It ends on “91ed”.
패킷에 다운로드 받은 파일들을 확인할 수 있습니다.
file.exe 파일의 MD5 정보가 5942ba36cf732097479c51986eee91ed 라는 것을 알 수 있습니다.
5. What is the name of the packer used to protect the malicious Windows executable? Hint: This is one of the most popular freely-available packers seen in “mainstream” malware.
Exeinfo PE 프로그램을 통해 file.exe 파일을 올리면 UPX라는 것을 알 수 있습니다.
6. What is the MD5 hash of the unpacked version of the malicious Windows executable file?
upx 프로그램을 통해 file.exe를 언패킹을 하였습니다.
언패킹 한 file.exe 파일의 MD5 값 ca21cefdd297152f6226e1c2d767cb96 라는것을 알 수 있습니다.
7. The malicious executable attempts to connect to an Internet host using an IP address which is hard-coded into it (there was no DNS lookup). What is the IP address of that Internet host?
악성 파일이 DNS 조회가 되지 않는 하드코딩된 IP 주소로 연결을 시도한다고 하였으니, [Sessions] 탭에서 피해자 PC와 세션 연결을 맺은 213.155.29.144 IP 주소라는 것을 알 수 있습니다.
'포렌식 > SANS Forensic Contest Puzzle' 카테고리의 다른 글
| Puzzle #7: Ann’s Dark Tangent (0) | 2026.06.03 |
|---|---|
| Puzzle #6: Ann’s Aurora (0) | 2026.06.03 |
| Puzzle #4: The Curious Mr. X (0) | 2026.06.03 |
| Puzzle #3: Ann’s AppleTV (0) | 2026.06.03 |
| Puzzle #2: Ann Skips Bail (0) | 2026.06.03 |
