Little Cybersecurity Adventures

Bernardo's Blog


## Intro Text

> A critical network infrastructure has encountered significant operational disruptions, leading to system outages and compromised machines. Public message boards displayed politically charged messages, and several systems were wiped, causing widespread service failures. Initial investigations reveal that attackers compromised the Active Directory (AD) system and deployed wiper malware across multiple machines.
>
> Fortunately, during the attack, an alert employee noticed suspicious activity and immediately powered down several key systems, preventing the malware from completing its wipe across the entire network. However, the damage has already been done, and your team has been tasked with investigating the extent of the compromise.
>
> You have been provided with forensic artifacts collected via KAPE SANS Triage from one of the affected machines to determine how the attackers gained access, the scope of the malware's deployment, and what critical systems or data were impacted before the shutdown.

Link to lab: https://cyberdefenders.org/blueteam-ctf-challenges/meteorhit-indra/

## Questions

1. The attack began with using a Group Policy Object (GPO) to execute a malicious batch file. What is the name of the malicious GPO responsible for initiating the attack by running a script?

    To uncover the name of the malicious GPO, we can use Registry Explorer and look into the start-up scripts configured using GPOs, and we can find that `DeploySetup` is the name of the malicious GPO.

    ![Image of Registry Explorer showing the GPO name](/images/Meteor_Indra/image.png)

2. During the investigation, a specific file containing critical components necessary for the later stages of the attack was found on the system. This file, expanded using a built-in tool, played a crucial role in staging the malware. What is the name of the file, and where was it located on the system? Please provide the full file path.

    To answer this question, I used Event Log Explorer, like the official walkthrough uses. I had never used this tool, but as far as I can tell, it's basically Windows Event Viewer but good 😭. Doing a Ctrl-F for "expand", we can find the file we want being expanded: `C:\ProgramData\Microsoft\env\env.cab`

    ![Event Log Explorer log](/images/Meteor_Indra/image-1.png)

3. The attacker employed password-protected archives to conceal malicious files, making it important to uncover the password used for extraction. Identifying this password is key to accessing the contents and analyzing the attack further. What is the password used to extract the malicious files?

    Hitting up a few times, we can see a rar file being extracted almost immediatly after the expanding of the archive, and we can see the command line parameters including the password

    `CommandLine: "Rar.exe"  x "C:\ProgramData\Microsoft\env\programs.rar" -phackemall`

    ![alt text](/images/Meteor_Indra/image-2.png)

4. Several commands were executed to add exclusions to Windows Defender, preventing it from scanning specific files. This behavior is commonly used by attackers to ensure that malicious files are not detected by the system's built-in antivirus. Tracking these exclusion commands is crucial for identifying which files have been protected from antivirus scans. What is the name of the first file added to the Windows Defender exclusion list?

    Because the last question's solution was so good, I went ahead and did it again, only this time I had to hit up a few more times 😅. But this method was good to have a little understanding of how the exploit works, at least at a high-level. Eventually we come to a powershell proccess being created with `powershell  -Command "Add-MpPreference -Force -ExclusionPath '"C:\ProgramData\Microsoft\env"\update.bat'"`, so we can see that `update.bat` is the first file being added to the Windows Defender exclusion list. If we keep going, we can see that it also adds `Rar.exe` to the exclusion list afterwards.

    ![alt text](/images/Meteor_Indra/image-3.png)

5. A scheduled task has been configured to execute a file after a set delay. Understanding this delay is important for investigating the timing of potential malicious activity. How many seconds after the task creation time is it scheduled to run?

    Keeping up the same method, we can go up until we find a `schtasks.exe` process being created, with the following command line arguments: `schtasks  /CREATE /SC ONCE /ST 09:08:13 /TN "mstask" /RL HIGHEST /RU SYSTEM /TR "\""C:\ProgramData\Microsoft\env\env.exe"\" C:\temp\msconf.conf`, we can get the time from comparing the time, or by simply analysing the powershell command being ran just before this program, which just adds 3.5 minutes to the current time :grin: (`powershell  -command "(Get-Date).AddMinutes(3.5).ToString('HH:mm:ss')"`).

    ![alt text](/images/Meteor_Indra/image-4.png)

6. After the malware execution, the wmic utility was used to unjoin the computer system from a domain or workgroup. Tracking this operation is essential for identifying system reconfigurations or unauthorized changes. What is the Process ID (PID) of the utility responsible for performing this action?

    For this one, I gave up the up-arrow, and simply ctrl-F'd for `wmic.exe`, and we can quickly find the log containing the relevant information, for our purposes, the PID of wmic is 7492.

    ![alt text](/images/Meteor_Indra/image-5.png)

7. The malware executed a command to delete the Windows Boot Manager, a critical component responsible for loading the operating system during startup. This action can render the system unbootable, leading to serious operational disruptions and making recovery more difficult. What command did the malware use to delete the Windows Boot Manager?

    Searching for `bcdedit.exe`, we can find multiple references to it, I honestly just bruteforced this one and went on submitting all of the commands until one said it was good: `C:\Windows\Sysnative\bcdedit.exe  /delete {9dea862c-5cdd-4e70-acc1-f32b344d4795} /f`. Searching the identifier on google tells me this is the Windows Boot Manager identifier, but searching it the other way around didn't work that well for me... Oh well, you live and you learn.

    ![alt text](/images/Meteor_Indra/image-6.png)

8. The malware created a scheduled task to ensure persistence and maintain control over the compromised system. This task is configured to run with elevated privileges every time the system starts, ensuring the malware continues to execute. What is the name of the scheduled task created by the malware to maintain persistence?

    We can search for `schtasks.exe` again, and find a new command `ParentCommandLine: C:\Windows\System32\cmd.exe /c schtasks /CREATE /SC ONSTART /TN "Aa153!EGzN" /RL HIGHEST /RU SYSTEM /TR "\"C:\ProgramData\Microsoft\env\env.exe\" \"C:\temp\msconf.conf\"" /F`, so the name of the task is `Aa153!EGzN`.

    ![alt text](/images/Meteor_Indra/image-7.png)

9. A malicious program was used to lock the screen, preventing users from accessing the system. Investigating this malware is important to identify its behavior and mitigate its impact. What is the name of this malware? (not the filename)

    We can search the logs for `lock` and then we can see the MD5 hash of the malware, and then plug it into `VirusTotal`.

    ![alt text](/images/Meteor_Indra/image-8.png)

    ![alt text](/images/Meteor_Indra/image-9.png)

    According to the sources, it's `breakwin`

Reconstruct a wiper malware attack by analyzing registry, event logs, and USN journal artifacts using Registry Explorer, Event Log Explorer, and VirusTotal.

CyberDefenders - MeteorHit / Indra Lab



## Intro Text

> The SOC team detected malicious activity involving an employee who uses his personal Android device under the company's BYOD policy. The employee reported recently installing what appeared to be a legitimate financial application after being contacted on social media.
>  
> Initial triage indicates the incident may involve both the employee's personal device and corporate assets, with signs of potential data exfiltration. The timeline suggests the attack may have originated from the mobile device before affecting company resources.
>  
> You have been provided with data from both the Android device and Windows workstation. Your mission is to reconstruct the complete attack chain, identify all malicious components, and determine the full scope of the compromise.
> Splunk Credentials:
> 
> User: student
> Password: CyDefStudent

Pretty simple introduction, we can start by locating the artifacts that we were left with to carry out our investigation, we can see that we have an Android Image and a computer image.

![Pasted image 20260507155358.png](/images/Byod_Breach/1.png)

## Initial Access

1. **The threat actor used Discord to conduct a phishing campaign and deliver a malicious application by sending phishing messages to its victims. What is the timestamp when the first phishing message was sent to the victim? (in UTC)**

Let's dig into the the Android data, and find the data associated with Discord. Application data usually resides inside the `data/data` directory, and we can see that discord is indeed found there.

![Pasted image 20260507155358.png](/images/Byod_Breach/2.png)

After poking around, we can find an `sqlite` database which contains the Discord messages stored on the device, and filtering those by the string "APK" we can find 3 results:

![Pasted image 20260507155358.png](/images/Byod_Breach/3.png)

We can copy the data of the first row to read the JSON formatted message and metadata clearly, and we can read the message, promising riches to those who install a new  application which is not available in the Play Store (🚩🚩🚩) . We can also see the message timestamp on the metadata ().

```json
{"id":"1402978851033976874","channelId":"1260057237167018050","message":{"type":0,"content":"🚀 **EXCLUSIVE TRADING OPPORTUNITY** 🚀\n\n**Hey professional trader! **\n\nI know you're into new tech, so I thought you might find this interesting. I got into a closed beta for a new trading analysis tool called **TradingPro**.\n\nIt's not an auto-trader, but more of an AI-powered signal generator. It scans market data (stocks and crypto) and flags potential entry and exit points based on its algorithms. The idea is to help you spot opportunities you might otherwise miss.\n\nI've been using it to supplement my own research for a few weeks, and some of its calls have been impressively accurate. It's still a bit rough around the edges (it's a beta, after all), but the core tech seems really promising.\n\nThe dev team gave beta users a few invite codes to share for feedback before the public launch. The invite gives you free access for 6 months.\n\nHere’s my invite link if you want to check it out:\n[TradingPro.apk](https://download947.mediafire.com/ksko53k8zbnghfi24VNm5LrQVL9K7xDvwGUqblir8x6pGn5dTbqWWDvCxh0g_8Cgl745u5I7tXwjexpUs5yD_VPayF3gO5pJCqz_LRUGYTLGMrqj9iYQ3TQHg50UGG2BpGRN82SZomhRaRGv2j362rdIPoVAKnoU36smiys66oqKeT4/2ofb3adsq2qojdf/TradingPro.apk)\n\nCode: TradingPro_Beta8516584655\n\n(You have to sideload the APK on Android since it's not on the Play Store yet. Let me know what you think if you try it out).","mentions":[],"mention_roles":[],"attachments":[],"embeds":[],"timestamp":"2025-08-07T11:37:04.173000+00:00","edited_timestamp":null,"flags":0,"components":[],"id":"1402978851033976874","channel_id":"1260057237167018050","author":{"id":"1259338416290795682","username":"tradingpro9_","avatar":"d3a7da8f180e0087b33d91b828223b30","discriminator":"0","flags":0,"banner":null,"accent_color":null,"collectibles":null,"display_name_styles":null,"clan":null,"primary_guild":null,"(...)
}
```

## Execution

2. **The victim fell for the phishing campaign and installed the malicious application on his device. What is the package name of this malicious application?**

Using the `Trading Pro` name suggested by the Discord message, we can search the  `data/data` directory for a package name similar to it.
 
![Pasted image 20260507155358.png](/images/Byod_Breach/4.png)

These three bottom ones look particularly suspicious.`Telegram` by itself doesn't mean much, but it's rare that you see it without it being used in a not nefarious way. The answer they are looking for is `com.test.tradingpro`.

3. **When was the malicious application first installed on the device? (in UTC)?** 

We can find out the the application was installed by analysing the `packages.xml` file, which we can find in the `data/system` folder. The file is `ABX` encoded by default (Android Binary XML), so we need to decode it using `abx2xml`. 

![Pasted image 20260507155358.png](/images/Byod_Breach/5.png)

This can be done like so:

```powershell
PS C:\Users\Administrator\Desktop\Start Here\Tools\Mobile Forensics> .\abx2xml.exe ..\..\Artifacts\Android\data\system\p
ackages.xml
Successfully converted ..\..\Artifacts\Android\data\system\packages.xml to ..\..\Artifacts\Android\data\system\packages.
xml
```

According to the data I found in this [cheat-sheet](https://github.com/0xn3va/cheat-sheets/blob/main/Mobile%20Application/Android/Overview/package-manager.md), the `ft` field has the time when the application was last changed, which in our case should be the install time. 

![Pasted image 20260507155358.png](/images/Byod_Breach/6.png)

The data is represented as an UNIX timestamp `198845936c0`, which we can use an online tool to decode into an human-readable UTC timestamp. So the timestamp would be `2025-08-07 11:44`.

![Pasted image 20260507155358.png](/images/Byod_Breach/7.png)

 4. **The application registers an Accessibility Service to read sensitive on-screen content. What specific permission does the malware request to enable this capability?**

In the data we observed for the last question, we could find the code path for the malicious application, so we can just find the application and open it in `JADX`.

Inside the `ApplicationManifest.xml` file, we can see which permissions the app requests, the first one being `android.permission.BIND_ACCESSIBILITY_SERVICE`, which is the answer we are looking for.

![Pasted image 20260507155358.png](/images/Byod_Breach/8.png)

## Discovery 

5. The malware searches for remote desktop applications on the device to steal connection metadata. What is the package name of the targeted remote desktop application found on the victim’s device?

Poking around the decompiled app, we can find a file containing lists of applications, the first one being `com.anydesk.anydeskandroid`, which can also be found in the `packages.xml
file.

![Pasted image 20260507155358.png](/images/Byod_Breach/9.png)

![Pasted image 20260507155358.png](/images/Byod_Breach/10.png)

So from that, we can tell that the malware was able to find this application and try to use any data pertaining to it.

## Exfiltration

6. **The malicious application sends harvested data to an exfiltration server. What IP address does it contact for exfiltration?**

In the `h1g0` file, we can find a bunch of strings that look Base64 encoded. If we try to decode them, all we get is a jumbled mess, but by looking further into the code, we can see that the data is supposed to be Base64 decoded and then XOR encoded with the 42 value.

![Pasted image 20260507155358.png](/images/Byod_Breach/11.png)


```java
	        /* JADX INFO: Access modifiers changed from: private */
        public final String d(String s) {
            try {
                byte[] decoded = Base64.decode(s, 0);
                Intrinsics.checkNotNull(decoded);
                Collection arrayList = new ArrayList(decoded.length);
                for (byte b : decoded) {
                    arrayList.add(Byte.valueOf((byte) (b ^ 42)));
                }
                return new String(CollectionsKt.toByteArray((List) arrayList), Charsets.UTF_8);
            } catch (Exception e) {
                return s;
            }
        }

```

The IP Address we want isn't found in the same file, but in one of the other decoded files. The address the application tries to connect itself to is `http://18.199.240.228:5002`

![Pasted image 20260507155358.png](/images/Byod_Breach/12.png)

![Pasted image 20260507155358.png](/images/Byod_Breach/13.png)

## Lateral Movement

7. Using the exfiltrated data, the threat actor connected to the corporate workstation through AnyDesk. What is the AnyDesk connection address of the compromised Windows host?
Now we move from the Android data into the Windows Host data. Looking into the AnyDesk data on the PC, we can find the Id in the `system.conf` file.

![Pasted image 20260507155358.png](/images/Byod_Breach/14.png)

8. **When did the threat actor first connect to the corporate Windows host? (in UTC)**

By looking into the `ad_svc.trace` file, we can find a lot of connections, and looking into the ones happening in the 7th of August, we can find the following connection, starting at `2025-08-07 12:50` (Full disclosure, I tried some of the other connections first, not completely sure why this one was **the one**). 

![Pasted image 20260507155358.png](/images/Byod_Breach/15.png)


Little Cybersecurity Adventures

CyberDefenders - MeteorHit / Indra Lab

CyberDefenders - BYOD Breach