tag:blogger.com,1999:blog-1746946614390371171.post6764078529843661327..comments2023-05-09T02:31:13.939-07:00Comments on Computer Forensics, Malware Analysis & Digital Investigations: Forensic Puzzle #6Lance Muellerhttp://www.blogger.com/profile/15789264000499223230noreply@blogger.comBlogger28125tag:blogger.com,1999:blog-1746946614390371171.post-35126651661836223202011-03-19T06:50:53.978-07:002011-03-19T06:50:53.978-07:00Greg Back sent me a link to an article he posted a...Greg Back sent me a link to an article he posted about this puzzel that I thought everyone may benefit from:<br /><br />http://blog.gregback.net/2011/03/using-remnux-for-forensic-puzzle-6/Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-76844782317884186482011-03-11T09:25:08.330-08:002011-03-11T09:25:08.330-08:00Hi Lance,
I sent you an email a few weeks ago rega...Hi Lance,<br />I sent you an email a few weeks ago regarding the USNJRNL script, but haven't heard anything from you, so just thought i'd check whether it got through to you OK and wasn't blocked by any spam filter or suchlike.<br />Kind regards,<br />RichardRichardnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-39930068334767115772011-03-10T05:39:50.247-08:002011-03-10T05:39:50.247-08:0050% is MD 5 but the rest i am still working out!!50% is MD 5 but the rest i am still working out!!Thomashttp://www.blackhawkinvestigations.co.uk/corporate-services/computer-forensics/noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-54656416318062092272011-03-10T02:43:23.990-08:002011-03-10T02:43:23.990-08:00@Ryan & Mcguyver....
No, that is not the corr...@Ryan & Mcguyver....<br /><br />No, that is not the correct final answer...Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-24220143620318638292011-03-10T02:40:06.085-08:002011-03-10T02:40:06.085-08:00Yes, you are right the MD5 is 35be5648db2003b92942...Yes, you are right the MD5 is 35be5648db2003b9294202995796d76eRyanhttp://www.blackhawkinvestigations.co.uk/corporate-services/computer-forensics/noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-35501867613599722012011-03-10T02:39:14.822-08:002011-03-10T02:39:14.822-08:00Yes, you are right the MD5 is 35be5648db2003b92942...Yes, you are right the MD5 is 35be5648db2003b9294202995796d76eAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-89076490287158244712011-03-08T01:10:36.170-08:002011-03-08T01:10:36.170-08:00I think the MD5 is:
35be5648db2003b9294202995796d...I think the MD5 is:<br /><br />35be5648db2003b9294202995796d76e<br /><br /><br />grtz.<br />mcguyverAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-147315801649496672011-03-06T23:57:07.077-08:002011-03-06T23:57:07.077-08:00Lance,
Here is my analysis
The file is in itself...Lance,<br /><br />Here is my analysis<br /><br />The file is in itself a OLE file and it was xored by 6A and file was analyzed. It was observed that the file name is ZUMA.EXE and the other metadata information available is<br /><br />DetectionName=Artemis!8DC601710E3E<br />DetectionType=1<br />EngineMajor=5400<br />EngineMinor=1158<br />DATMajor=6265<br />DATMinor=0<br />DATType=2<br />ProductID=12060<br />CreationYear=2011<br />CreationMonth=2<br />CreationDay=23<br />CreationHour=11<br />CreationMinute=46<br />CreationSecond=32<br />TimeZoneName=Arab Standard Time<br />TimeZoneOffset=-180<br />NumberOfFiles=1<br />NumberOfValues=0<br />[File_0]<br />ObjectType=5<br />OriginalName=E:\PROGRAM FILES\GAMEHOUSE\ZUMA\ZUMA.EXE<br /><br />I am still looking for more information. Correct me if I am wrong in my analysis.Kush Wadhwahttps://www.blogger.com/profile/10761246058955112644noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-90588910913188903052011-03-06T23:50:02.275-08:002011-03-06T23:50:02.275-08:00This comment has been removed by the author.Kush Wadhwahttps://www.blogger.com/profile/10761246058955112644noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-31108761274629297582011-03-06T13:38:29.789-08:002011-03-06T13:38:29.789-08:00@Lance thanks alot for putting this effort to make...@Lance thanks alot for putting this effort to make this game really interesting<br /><br />is this possible to post the way of solving this enigma for mid-skill people the answer is already out<br /><br />Thanks in advanceAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-60085600869991587222011-03-04T10:17:01.876-08:002011-03-04T10:17:01.876-08:00Although, I got
"0c17f59bfcbfc4a620b69a326a5...Although, I got <br />"0c17f59bfcbfc4a620b69a326a5852f0"<br />and<br />"f93a7bb8e02a8a23f87dad22b9ecd578"<br />Hmmmm.AllenDnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-48501787606725074292011-03-04T10:04:07.164-08:002011-03-04T10:04:07.164-08:00Looks like I'm a little late. I got distracted...Looks like I'm a little late. I got distracted playing ZUMA.AllenDnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-70679107050346619152011-02-28T21:16:32.399-08:002011-02-28T21:16:32.399-08:00Be careful when dealing with suspicious downloads ...Be careful when dealing with suspicious downloads that may include malware.email encryption servicehttp://www.securence.com/services/email-encryption-securitynoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-13325097216427723342011-02-25T18:00:38.526-08:002011-02-25T18:00:38.526-08:00@Mars - Nice work@Mars - Nice workLance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-85351407059203289792011-02-25T08:09:16.960-08:002011-02-25T08:09:16.960-08:00Hi Lance:
In fact, this is an quarantined file fro...Hi Lance:<br />In fact, this is an quarantined file from McAFee.(OLE Format and 0x6A xor encoded)<br /><br />The metadata contains the information about engine,data version,creation timestamp and virus name.,etc.Marshttp://rootkit.twnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-33032990888016274602011-02-25T07:55:02.823-08:002011-02-25T07:55:02.823-08:00@Mars, yes, but more importantly, what does it say...@Mars, yes, but more importantly, what does it say?Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-33330140692685716662011-02-25T07:52:30.045-08:002011-02-25T07:52:30.045-08:00Hi Lance:
Thanks for your reply.
Seem to extract ...Hi Lance:<br />Thanks for your reply.<br /><br />Seem to extract metadata from file will be able to get the remaining 50% :)<br /><br />offset:0x800<br />size: 0x1D8Marshttp://rootkit.twnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-25456435280457436792011-02-25T04:09:24.096-08:002011-02-25T04:09:24.096-08:00Curious. Virustotal hit only 1/42, Sunbelt did not...Curious. Virustotal hit only 1/42, Sunbelt did not report any activity and sandboxie does not show any files exported that I can interpret as malware. So is the exe itself the malware? I have not yet created a virtual machine for such analysis at home yet ;-)<br /><br />Anyway, you kept me busy on my day off ;-)<br /><br />BRIAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-35136218330251438902011-02-25T04:04:02.180-08:002011-02-25T04:04:02.180-08:00@BRI - The malware *is* there.@BRI - The malware *is* there.Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-53570710556656465732011-02-25T04:01:13.607-08:002011-02-25T04:01:13.607-08:00Lance,
I kept looking for the malware! Which I co...Lance,<br /><br />I kept looking for the malware! Which I could not find ;-(<br />My first answer was very close, only one byte off ;-)<br /><br />BRIAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-2133009709393061212011-02-25T03:56:50.772-08:002011-02-25T03:56:50.772-08:00@BRI, that's the other 50% ;) Nice work.@BRI, that's the other 50% ;) Nice work.Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-4222002744697397852011-02-25T03:54:34.986-08:002011-02-25T03:54:34.986-08:00I hope you didn't mean that the other 50% is
...I hope you didn't mean that the other 50% is<br /><br />F93A7BB8E02A8A23F87DAD22B9ECD578<br /><br />BRIAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-92093861892757319532011-02-25T01:59:45.947-08:002011-02-25T01:59:45.947-08:00I know what the file is, but still having trouble ...I know what the file is, but still having trouble finding what's inside of it.<br /><br />Interestingly enough, when doing a "Google" for the HEX value on the header, I found a match on a website for a California school that had been hacked...a PHP rootkit.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-16853718742238383962011-02-25T01:49:56.241-08:002011-02-25T01:49:56.241-08:00@Mars... nice work... but your only 50% correct ;)...@Mars... nice work... but your only 50% correct ;)Lance Muellerhttps://www.blogger.com/profile/15789264000499223230noreply@blogger.comtag:blogger.com,1999:blog-1746946614390371171.post-11046184187622877292011-02-25T01:47:33.415-08:002011-02-25T01:47:33.415-08:00Quite interesting..
MD5:8DC601710E3E68B8D78B5CD73...Quite interesting..<br /><br />MD5:8DC601710E3E68B8D78B5CD73FB28616<br /><br /><br /><br />Mars@ http://rootkit.twMarshttp://rootkit.twnoreply@blogger.com