Nullcon Hackim 2018: OSINT1
|Nullcon Hackim 2018||OSINT 1||OSINT||100||¯\(ツ)/¯|
This is an OSINT challenge, it’s rare and the Nullcon made it very well! The statement:
One of our systems has been infected by a ransomware.The message says My username is your password. Wait for further instructions.
We have been able to identify the JS file used to download the ransomware.
Here is the MD5: ‘151af957b92d1a210537be7b1061dca6’.
Can you help us to unlock the machine?
In this task the author gaves us a ransomware hash. After passing it in virustotal. I saw the DSAdaDSDA.js JS dropper for Nemucod ransomware.
After a little looking on Google, I found the Hybrid Analysis report and found the username n923wUc in the HTTP Traffic.
In forensic world, when we have suspicious malware or script or whatever, the first move is: make the hash and go on virustotal. If the hash is known, then there is an analysis and probably userful comments from other analysts.
Here, it’s exactly what I did. I put the given hash to virustotal and then:
Fig 1 - Malicious you said ?
We can see th JS dropper and Nemucod malware.
BTW, there is decrypter on NoMoreRansom.
After that I looked for a more verbose analysis, then I find:
One of those link got the flag. But at this point I don’t knew it!
After a lot of search into strings, extracted files… I ended up to forget what I looked for…
I’m looking for a username! In a great despair, I did a CTRL+F “USERNAME” in the first link and found:
w00t \o/ …Or not, it doesn’t flag… Admin told me that is not the right username, dammit.
I did the same thing on the second link and… Nothing…
And finally on the third link: