Confinement
29th February 2024
Prepared By: bquanman & c4n0pus
Challenge Author(s): bquanman
Difficulty: Hard
Classification: Official
A hard forensics challenge that involves restoring artifacts from the quarantine folder of Windows Defender and then decrypting a C# ransomware for flag
- Our clan's network has been infected by a cunning ransomware attack, encrypting irreplaceable data essential for our relentless rivalry with other factions. With no backups to fall back on, we find ourselves at the mercy of unseen adversaries, our fate uncertain. Your expertise is the beacon of hope we desperately need to unlock these encrypted files and reclaim our destiny in The Fray. Note: The valuable data is stored under \Documents\Work
- Familiarity with Windows operating system
- Familiarity with Windows event logs
- Analyzing Windows event log
- Attack timeline reconstruction
- Knowledge of where Windows artifacts are stored
- Analyzing C# ransomware
Players are given the following file:
- Challenge.ad1: Logical disk image of a Windows host acquired by FTK Imager.
We can see the encrypted files in the tommyxiaomi user folder. The modified time is about 16:05 28/02/2024 so that we can localize the time of the attack to focus on investigating events during this period
Firstly, analyze the event logs to understand what happened.
Using chainsaw to hunt critical event
These defender warnings were all created between 15:45 and 15:48 and the threats repeated many times, possibly because the attacker tried to spread malware but was blocked by Windows Defender.
In those threats, mimikatz.exe and fscan64.exe are very common but how about intel.exe?
Find intel.exe from Security log. We can see the time the process was created was very close to the time the files were infected so this could be the ransomware!
Furthermore, it was started by Powershell. At this time, the Powershell log should be valuable!
Using evtx_dump to parse Microsoft-Windows-PowerShell%4Operational.evtx and take all script blocks
In the beginning, the attacker downloaded an archive that appeared to contain attack tools
Next is a series of commands to disable and bypass Windows Defender then extract intel.exe again and execute it the last time before cleaning and exit
Mapping to the timestamp of the defender's log, we can roughly visualize the following:
- the attacker compromised the host at around 17:41
- the attempt to download and execute hacking tools was blocked by Defender until 17:48
- so they had to use some commands to disable and bypass the Defender
- At 18:05:17, they extracted
intel.zipagain and no more defender warnings were generated - They then executed
intel.exeto encrypt the files before exiting the system at 18:07:24
At this point, we have a fairly comprehensive view of the attack. However, our goal is to restore our client's files. To do that, the ransomware is needed so that we can understand how files are encrypted. But we don't have the ransomware sample since it's cleaned up by the attacker!
We need to go back a bit to the defender log
Details about IDs and information fields in Windows Defender log
The Action here is Quarantine, that means it hasn't actually been removed from the system, but just put into the Windows quarantine folder
Quarantine files are stored at the path C:\ProgramData\Microsoft\Windows Defender\Quarantine. In this path, the ResourceData folder contains the actual data of those files, while the Entries and Resources folders contain metadata/information related to them.
Data files are encrypted with a default RC4 key outlined in this post
Manual decrypting shows that there is some file information data added to the beginning and end of the file. Removing these data you can get the complete file. There are also many public scripts to make this task easier.
When we get the complete file, we find that this is a .net executable!
List the files in the directory and encode the files with the corresponding extension
Password is generated by combining the userID and the hardcoded salt, generating a sha512 sum and base64 encoding it
Password is then used to generate a key and an iv to encrypt a file using the Rijndael (AES) algorithm
Ransom note:
Take the userID from the ransom note. Combined with the hardcoded salt, we can use the same algorithm to decrypt the client's file:
using System;
using System.IO;
using System.Text;
using System.Security.Cryptography;
string Hasher(string password)
{
string text;
using (SHA512CryptoServiceProvider sha512CryptoServiceProvider = new SHA512CryptoServiceProvider())
{
byte[] bytes = Encoding.UTF8.GetBytes(password);
text = Convert.ToBase64String(sha512CryptoServiceProvider.ComputeHash(bytes));
}
return text;
}
// Token: 0x0600001C RID: 28 RVA: 0x00002834 File Offset: 0x00000A34
string GetHashCode(string password, string salt)
{
string text = password + salt;
return Hasher(text);
}
byte[] array = new byte[65535];
byte[] array2 = new byte[] { 0, 1, 1, 0, 1, 1, 0, 0 };
string uid = "5K7X7E6X7V2D6F";
string salt = "0f5264038205edfb1ac05fbb0e8c5e94";
string password = GetHashCode(uid, salt);
Console.WriteLine("Password: " + password);
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, array2, 4953);
RijndaelManaged rijndaelManaged = new RijndaelManaged();
rijndaelManaged.Key = rfc2898DeriveBytes.GetBytes(rijndaelManaged.KeySize / 8);
rijndaelManaged.Mode = CipherMode.CBC;
rijndaelManaged.Padding = PaddingMode.ISO10126;
rijndaelManaged.IV = rfc2898DeriveBytes.GetBytes(rijndaelManaged.BlockSize / 8);
Console.WriteLine("Key: " + Convert.ToBase64String(rijndaelManaged.Key));
Console.WriteLine("IV: " + Convert.ToBase64String(rijndaelManaged.IV));With all that in place, we can export the valuable file and decrypt it!
Turns out it's an Excel workbook and one of the cells is the flag!
