Silent Trap
Personal Rating: Hard
Last updated
Personal Rating: Hard
Last updated
This forensics challenge was indeed challenging, but definitely fun. We start off with a .pcap file.
The first request that struck my eye was a HTTP request to this URL:
In the POST body was JSON data that revealed valuable initial information about the captured traffic:
Reading through more of the HTTP requests, it becomes clear that a mail client was used. In Wireshark you can extract files from the data streams at "File > Export Objects > HTTP". I did that to inspect the html files that were transmitted:
From this we already learned a lot about the setting and we even found a password for a file. With the same method as for the html files, I found and extracted the zip file that can be opened with the password just obtained.
The result was the executable file "Eldoria_Balance_Issue_Report.pdf.exe". This was likely used to compromise the target. Inspecting the traffic that contains the malicious file, we find that proplayer@email.com must be the attacker, since he sent the mail with the malware. 192.168.91.133 seems to be the server "mail.korptech.net".
An some point it struck my eye that regular "APPEND Inbox" commands were sent via IMAP. They looked like this each time:
The string could not be decoded and seemed encrypted. In between of these suspicious requests, someone seems to repeatedly search for the mail subject U1VQUE9SVEhVQl9kZXYtc3VwcG9ydF9NaWNyb3NvZnQgV2luZG93cyBOVCA2LjIuOTIwMC4w which decodes to "SUPPORTHUB_dev-support_Microsoft Windows NT 6.2.9200.0"
The suspicious encryted data could be downloaded as described before. The format was eml.
The attacker sent numerous mails with the same subject. Some contact data has been fetched as well:
Inspecting the file in Ghidra and doing a string search, it became clear that the malware seems to have exfiltrated data over mail or served a C2 agent via IMAP. The data is encrypted as we have seen.
Opening the malware in a Windows VM in ILSpy let me see the actual code, which revealed the encryption function and password for the encrypted data that it sends via IMAP.
The last screenshot shows the encryption password, which was random binary data. I converted it to base64:
qHOu1ajeSCRb0fKARWPDpO62Q1wHeaRWeQpdBIxv+CweXjA2LWS4NhxSybzLlnuj5YqxM6ToVpqzj5AWhgwo8zcCSWdj8+x3CXj3GYSJQ0Jv8GxWVT8sMfEGA6qDljUxfkg8JJD4Nwrx0KPZMZrO4xljEpCGqe1kdRYLlp3mrSZIY4Ee3HDiOBByhRZgAVpIoiaPuiOOgOrE74ayzeV54fbozez+mJFifh3ZSrGOE762l+mdTEpom09zBRLMQf7MdkdcITpwzpdnsxik22JRBvFk5L5gjIABofbsGT5kV5G5LT2PNAjjIOklt2VZGH3L4wmSnNDOwobCF+lkJp46nw==
I also concatenated all of the encrypted strings from the extracted eml files, assuming that the encryptor uses a stream cipher:
bmmDXtPNDyr4vZ8EbWCfVNLNXHGo4IBubIVcntVJYKiokwZ/WoshHv5RlKCKGQA31JqXpPubuF4X
8I3U3VQ/Dc+wzyWDowJLEeOdvWpihEvf10R2qOCVADp4njRKuEqUrJ0FHTfOgYi++463Bjbwl7Kb
WARpwYnOIZKwHU8R6779W7opq8X53gGbtwPHUkL5iLEd3m9wjkyy68bc7OAYcbaLObC5lRH3dHR0
TEJww8wqOT5fikHYuMT/p0mnp0w/uQnrA+nC/G9dFSV+QoF3TGHPyjbCjVFs00kCchwKbuReokfy
0OuAGnlN6A0KUzqlzHEAX6TS3wvnrOf8mOStMMx2nvGIZGmqe6wQoKZSWORO4YjgjYy3VgF7s2nc
Os+lTlCSGPweehEXiNAlWTX6oEARxIi2yHdkmB/L10p3qKuTBCxsmiEF5UrLrJ48ACfRw5W0stu3
Fjt3ZJgf0stMZOSohB0qacoQDvpXlOW9CAE10pyVo7KQswQs6oni214CeMPWwDKTd2SYH9LLTGTk
qIQdKmnKEA76V5TlvQgBNdKclaOykLMELOqJ4tteAnjD1sAyk2tkix/P0Up38e++ORNUyn4MtxyK
7b0PBDvUl8XwvYD2IBrYpsHuDFk6fWieH/2ecyWnvNZdPTmWcQz+UJ7/ug5TdtaSlKPlm6QWfX1o
nh/9nnMlp7zWXT05lnEM/lCe/7oOU3bWkpSj5ZukFn10bp5anoZsP9SahRctarY1D+ETifm+DBwm
0q+moOKwtwY+w7X9100aFaGLwCCSkQFBAPCzoVueDvmJysNJurAY2U5J27uIB9hkcIhUtuvp9bSu
LXy1ojmqvOlrxXJ6bFoYSNTKC3I7UpsQdG6eWp7nFVnqrpUZKmmZDQnlW57poAgaNcqAyaTqgA==
The algorithm used for encryption is RC4, which I found out by asking an LLM about it. Shame on me. I created a Python decrpytor:
After all we know, we can conclude that the malware is a C2 tool that operates via Mail. The attacker can put an encrypted cmd command in the Drafts folder, the tool waits for that, reads it, decrypts and executes it, and puts the result inthe folder again (RC4 encrypted as well).
The decryptor did not work at first, it only decrypted the first command. The reason was, that the extracted mails were the wrong stream. Upon looking at the suspected C2 communication again, this filter could be created to filter out the requests that we can decrypt with the python script:
_ws.col.contains "Request: $ APPEND Inbox"
The content of the APPEND imap commands contains the commands with their output, after RC4 decoding with the password we extracted from the malware. These are the commands. Note that I removed some of the command output since it was extremely large:
Now we can see what the attacker did. He enumerated privileges, exfiltrated browser, database, mail passwords and more. At the end, he exfiltrated a secret API key for the game. Now we can answer all questions that were required to solve the challenge:
What is the subject of the first email that the victim opened and replied to?
Game Crash on Level 5 - Found by extracting http stream 4
On what date and time was the suspicious email sent? (Format: YYYY-MM-DD_HH:MM) (for example: 1945-04-30_12:34)
2025-02-24_15:46 - Found by extracting http stream 8
What is the MD5 hash of the malware file?
c0b37994963cc0aadd6e78a256c51547 - Extracted the zip file from the http contents, unzipped it with the password from the mail at http stream 8 and used md5sum Eldoria_Balance_Issue_Report.pdf.exe
What credentials were used to log into the attacker's mailbox? (Format: username:password)
proplayer@email.com:completed - Found in an unauthenticated IMAP login when searching for proplayer@email.com
What is the name of the task scheduled by the attacker?
Synchronisation - This can be found by analyzing the malware, extracting the password and RC4 decrypting all APPEND imap data
What is the API key leaked from the highly valuable file discovered by the attacker?
sk-3498fwe09r8fw3f98fw9832fw
