Challenge 3 – Banking Troubles – (provided by Josh Smith and Matt Cote from The Rochester Institute of Technology Chapter, Angelo Dell’Aera from the Italian Chapter and Nicolas Collery from the Singapore Chapter) is to investigate a memory image of an infected virtual machine.
Submit your solution at http://www.honeynet.org/challenge2010/ using the submission templates provided below by 17:00 EST, Sunday, April 18th 2010. Results will be released on Wednesday, May 5th 2010. (For inquiries you can contact firstname.lastname@example.org) Small prizes will be awarded to the top three submissions.
Skill Level: Difficult
Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an email from a fellow co-worker that pointed to a PDF file. Upon opening, the employee did not seem to notice anything, however recently they have had unusual activity in their bank account. Company X was able to obtain a memory image of the employee’s virtual machine upon suspected infection. Company X wishes you to analyze the virtual memory and report on any suspected activities found. Questions can be found below to help in the formal report for the investigation.
- List the processes that were running on the victim’s machine. Which process was most likely responsible for the initial exploit? (2pts)
- List the sockets that were open on the victim’s machine during infection. Are there any suspicious processes that have sockets open? (4pts)
- List any suspicious URLs that may be in the suspected process’s memory. (2pts)
- Are there any other processes that contain URLs that may point to banking troubles? If so, what are these processes and what are the URLs? (4pts)
- Were there any files that were able to be extracted from the initial process? How were these files extracted? (6pts)
- If there was a file extracted from the initial process, what techniques did it use to perform the exploit? (8pts)
- List suspicious files that were loaded by any processes on the victim’s machine. From this information, what was a possible payload of the initial exploit be that would be affecting the victim’s bank account? (2pts)
- If any suspicious files can be extracted from an injected process, do any anti-virus products pick up the suspicious executable? What is the general result from anti-virus products? (6pts)
- Are there any related registry entries associated with the payload? (4pts)
- What technique was used in the initial exploit to inject code in to the other processes? (6pts)
hn_forensics.tgz Sha1: 8178921fd065ad2de9c6738fe062d2b37402c04a
Post completo em https://www.honeynet.org/challenges/2010_3_banking_troubles