Welcome! #
- LetsDefend is a Blue Team Training platform.
- This writeup is a challenge on LetsDefend.
Challenge Details: #
- Role targeted: Security Analyst
- Skill Level: Easy
Description: #
Analysis XLS File
File link: /root/Desktop/ChallengeFiles/ORDER_SHEET_SPEC.zip
Password: infected
Lab Start: #
Reminder: Don’t blindly extract zip files on machines. This is a lab, and the zip itself isn’t malicious; only the file it contains is. …That being said, let’s unzip this infected zip!
cd Desktop/ChallengeFiles
unzip ORDER_SHEET_SPEC.zipIt’ll ask for a password: infected
VirusTotal: #
Let’s throw this in VirusTotal and see what it says!
Questions: #
Found under the “DETAILS” tab in VirusTotal.
- What is the date the file was created? (UTC) Answer Format: YYYY-MM-DD HH:MM:SS
- Answer:
2020-02-01 18:28:07
- Answer:
Found under the “DETECTION” tab in VirusTotal.
- With what name is the file detected by Bitdefender antivirus?
- Answer:
trojan.generickd.36266294
- Answer:
Found under the “RELATIONS” tab in VirusTotal.
- How many files are dropped on the disk?
- Answer:
29
- Answer:
Found under the “RELATIONS” tab in VirusTotal; under the dropped files. You need to expand the image1.emf row to find the SHA-256 hash.
- What is the sha-256 hash of the file with emf extension it drops?
- Answer:
979dde2aed02f077c16ae53546c6df9eed40e8386d6db6fc36aee9f966d2cb82
- Answer:
Found under the “RELATIONS” tab in VirusTotal.
- What is the exact url to which the relevant file goes to download spyware?
- Answer:
https://multiwaretecnologia.com.br/js/podaliri4.exe
