Thursday, February 24, 2011

Forensic Puzzle #6

A System Administrator contacts you (because you're the forensic geek/god) and asks for your assistance in looking at something. He then hands you a flash device with a single zip files that he explains was "handed off" to him by another admin. The file is named "Suspicious_File" and was reported by the user as being unrecognized and not sure where it came from. Eventually the user contacted desktop support staff, who eventually forwarded it to an administrator, who has now contacted you. Unfortunately, the user changed the original name and zipped it to send to the helpdesk, so the original name or path is unknown.

Analyze the file and if possible, determine its origin, purpose, function and any other information that might be useful to the administrator. To avoid posting the correct results and spoiling it for anyone else who may be trying to work through this problem, post the final hash value of any file you analyze in the comments and I will provide feedback from there.

You get three hints. It's not any of these:
511516F439BC569D57C2853F49A192BA
DA983DD82AA924EB5BFE407F249AC9B6
63017bb2a213fa440191b204929ab0f7

28 comments:

Anonymous Friday, 25 February, 2011  

I guess MD5:D75B7D1F3B5B7CADDD15B2C718BF027A

BRI

Lance Mueller Friday, 25 February, 2011  

@BRI - Sorry, no.

Anonymous Friday, 25 February, 2011  

Too bad. This was just 2 minutes looking at it. Only 'decoded' but didn't check for hints of the length of the file. I cut the tailing 75 bytes of.

You like games apparently ;-)

BRI

Mars Friday, 25 February, 2011  

Quite interesting..

MD5:8DC601710E3E68B8D78B5CD73FB28616



Mars@ http://rootkit.tw

Lance Mueller Friday, 25 February, 2011  

@Mars... nice work... but your only 50% correct ;)

Anonymous Friday, 25 February, 2011  

I know what the file is, but still having trouble finding what's inside of it.

Interestingly enough, when doing a "Google" for the HEX value on the header, I found a match on a website for a California school that had been hacked...a PHP rootkit.

Anonymous Friday, 25 February, 2011  

I hope you didn't mean that the other 50% is

F93A7BB8E02A8A23F87DAD22B9ECD578

BRI

Lance Mueller Friday, 25 February, 2011  

@BRI, that's the other 50% ;) Nice work.

Anonymous Friday, 25 February, 2011  

Lance,

I kept looking for the malware! Which I could not find ;-(
My first answer was very close, only one byte off ;-)

BRI

Lance Mueller Friday, 25 February, 2011  

@BRI - The malware *is* there.

Anonymous Friday, 25 February, 2011  

Curious. Virustotal hit only 1/42, Sunbelt did not report any activity and sandboxie does not show any files exported that I can interpret as malware. So is the exe itself the malware? I have not yet created a virtual machine for such analysis at home yet ;-)

Anyway, you kept me busy on my day off ;-)

BRI

Mars Friday, 25 February, 2011  

Hi Lance:
Thanks for your reply.

Seem to extract metadata from file will be able to get the remaining 50% :)

offset:0x800
size: 0x1D8

Lance Mueller Friday, 25 February, 2011  

@Mars, yes, but more importantly, what does it say?

Mars Friday, 25 February, 2011  

Hi Lance:
In fact, this is an quarantined file from McAFee.(OLE Format and 0x6A xor encoded)

The metadata contains the information about engine,data version,creation timestamp and virus name.,etc.

Lance Mueller Friday, 25 February, 2011  

@Mars - Nice work

email encryption service Monday, 28 February, 2011  

Be careful when dealing with suspicious downloads that may include malware.

AllenD Friday, 04 March, 2011  

Looks like I'm a little late. I got distracted playing ZUMA.

AllenD Friday, 04 March, 2011  

Although, I got
"0c17f59bfcbfc4a620b69a326a5852f0"
and
"f93a7bb8e02a8a23f87dad22b9ecd578"
Hmmmm.

Anonymous Sunday, 06 March, 2011  

@Lance thanks alot for putting this effort to make this game really interesting

is this possible to post the way of solving this enigma for mid-skill people the answer is already out

Thanks in advance

Kush Wadhwa Sunday, 06 March, 2011  
This comment has been removed by the author.
Kush Wadhwa Sunday, 06 March, 2011  

Lance,

Here is my analysis

The file is in itself a OLE file and it was xored by 6A and file was analyzed. It was observed that the file name is ZUMA.EXE and the other metadata information available is

DetectionName=Artemis!8DC601710E3E
DetectionType=1
EngineMajor=5400
EngineMinor=1158
DATMajor=6265
DATMinor=0
DATType=2
ProductID=12060
CreationYear=2011
CreationMonth=2
CreationDay=23
CreationHour=11
CreationMinute=46
CreationSecond=32
TimeZoneName=Arab Standard Time
TimeZoneOffset=-180
NumberOfFiles=1
NumberOfValues=0
[File_0]
ObjectType=5
OriginalName=E:\PROGRAM FILES\GAMEHOUSE\ZUMA\ZUMA.EXE

I am still looking for more information. Correct me if I am wrong in my analysis.

Anonymous Tuesday, 08 March, 2011  

I think the MD5 is:

35be5648db2003b9294202995796d76e


grtz.
mcguyver

Anonymous Thursday, 10 March, 2011  

Yes, you are right the MD5 is 35be5648db2003b9294202995796d76e

Ryan Thursday, 10 March, 2011  

Yes, you are right the MD5 is 35be5648db2003b9294202995796d76e

Lance Mueller Thursday, 10 March, 2011  

@Ryan & Mcguyver....

No, that is not the correct final answer...

Thomas Thursday, 10 March, 2011  

50% is MD 5 but the rest i am still working out!!

Richard Friday, 11 March, 2011  

Hi Lance,
I sent you an email a few weeks ago regarding the USNJRNL script, but haven't heard anything from you, so just thought i'd check whether it got through to you OK and wasn't blocked by any spam filter or suchlike.
Kind regards,
Richard

Lance Mueller Saturday, 19 March, 2011  

Greg Back sent me a link to an article he posted about this puzzel that I thought everyone may benefit from:

http://blog.gregback.net/2011/03/using-remnux-for-forensic-puzzle-6/

Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles