A System Administrator contacts you (because you're the forensic geek/god) and asks for your assistance in looking at something. He then hands you a flash device with a single zip files that he explains was "handed off" to him by another admin. The file is named "Suspicious_File" and was reported by the user as being unrecognized and not sure where it came from. Eventually the user contacted desktop support staff, who eventually forwarded it to an administrator, who has now contacted you. Unfortunately, the user changed the original name and zipped it to send to the helpdesk, so the original name or path is unknown.
Analyze the file and if possible, determine its origin, purpose, function and any other information that might be useful to the administrator. To avoid posting the correct results and spoiling it for anyone else who may be trying to work through this problem, post the final hash value of any file you analyze in the comments and I will provide feedback from there.
You get three hints. It's not any of these:
511516F439BC569D57C2853F49A192BA
DA983DD82AA924EB5BFE407F249AC9B6
63017bb2a213fa440191b204929ab0f7
I guess MD5:D75B7D1F3B5B7CADDD15B2C718BF027A
ReplyDeleteBRI
@BRI - Sorry, no.
ReplyDeleteToo bad. This was just 2 minutes looking at it. Only 'decoded' but didn't check for hints of the length of the file. I cut the tailing 75 bytes of.
ReplyDeleteYou like games apparently ;-)
BRI
Quite interesting..
ReplyDeleteMD5:8DC601710E3E68B8D78B5CD73FB28616
Mars@ http://rootkit.tw
@Mars... nice work... but your only 50% correct ;)
ReplyDeleteI know what the file is, but still having trouble finding what's inside of it.
ReplyDeleteInterestingly enough, when doing a "Google" for the HEX value on the header, I found a match on a website for a California school that had been hacked...a PHP rootkit.
I hope you didn't mean that the other 50% is
ReplyDeleteF93A7BB8E02A8A23F87DAD22B9ECD578
BRI
@BRI, that's the other 50% ;) Nice work.
ReplyDeleteLance,
ReplyDeleteI kept looking for the malware! Which I could not find ;-(
My first answer was very close, only one byte off ;-)
BRI
@BRI - The malware *is* there.
ReplyDeleteCurious. Virustotal hit only 1/42, Sunbelt did not report any activity and sandboxie does not show any files exported that I can interpret as malware. So is the exe itself the malware? I have not yet created a virtual machine for such analysis at home yet ;-)
ReplyDeleteAnyway, you kept me busy on my day off ;-)
BRI
Hi Lance:
ReplyDeleteThanks for your reply.
Seem to extract metadata from file will be able to get the remaining 50% :)
offset:0x800
size: 0x1D8
@Mars, yes, but more importantly, what does it say?
ReplyDeleteHi Lance:
ReplyDeleteIn fact, this is an quarantined file from McAFee.(OLE Format and 0x6A xor encoded)
The metadata contains the information about engine,data version,creation timestamp and virus name.,etc.
@Mars - Nice work
ReplyDeleteBe careful when dealing with suspicious downloads that may include malware.
ReplyDeleteLooks like I'm a little late. I got distracted playing ZUMA.
ReplyDeleteAlthough, I got
ReplyDelete"0c17f59bfcbfc4a620b69a326a5852f0"
and
"f93a7bb8e02a8a23f87dad22b9ecd578"
Hmmmm.
@Lance thanks alot for putting this effort to make this game really interesting
ReplyDeleteis this possible to post the way of solving this enigma for mid-skill people the answer is already out
Thanks in advance
This comment has been removed by the author.
ReplyDeleteLance,
ReplyDeleteHere is my analysis
The file is in itself a OLE file and it was xored by 6A and file was analyzed. It was observed that the file name is ZUMA.EXE and the other metadata information available is
DetectionName=Artemis!8DC601710E3E
DetectionType=1
EngineMajor=5400
EngineMinor=1158
DATMajor=6265
DATMinor=0
DATType=2
ProductID=12060
CreationYear=2011
CreationMonth=2
CreationDay=23
CreationHour=11
CreationMinute=46
CreationSecond=32
TimeZoneName=Arab Standard Time
TimeZoneOffset=-180
NumberOfFiles=1
NumberOfValues=0
[File_0]
ObjectType=5
OriginalName=E:\PROGRAM FILES\GAMEHOUSE\ZUMA\ZUMA.EXE
I am still looking for more information. Correct me if I am wrong in my analysis.
I think the MD5 is:
ReplyDelete35be5648db2003b9294202995796d76e
grtz.
mcguyver
Yes, you are right the MD5 is 35be5648db2003b9294202995796d76e
ReplyDeleteYes, you are right the MD5 is 35be5648db2003b9294202995796d76e
ReplyDelete@Ryan & Mcguyver....
ReplyDeleteNo, that is not the correct final answer...
50% is MD 5 but the rest i am still working out!!
ReplyDeleteHi Lance,
ReplyDeleteI sent you an email a few weeks ago regarding the USNJRNL script, but haven't heard anything from you, so just thought i'd check whether it got through to you OK and wasn't blocked by any spam filter or suchlike.
Kind regards,
Richard
Greg Back sent me a link to an article he posted about this puzzel that I thought everyone may benefit from:
ReplyDeletehttp://blog.gregback.net/2011/03/using-remnux-for-forensic-puzzle-6/