Project Sekai - ✅-forensics-attaaaaack10

Project Sekai

🔒 CrewCTF 2023 / ✅-forensics-attaaaaack10

Attaaaaack10 - 1000 points

Category: Forensics Description: Q10. we think that the malware uses persistence technique can you detect it ? example : crew{Schedule_Task} Author : 0xSh3rl0ck Files: No files. Tags: No tags.

Sutx pinned a message to this channel. 07/08/2023 2:36 AM

@Guesslemonger wants to collaborate

02:37

@Surg wants to collaborate

02:39

@Violin wants to collaborate

i assume 12 and 13 are easier than 10 and 11 from solve, but not certain

can someone confirm if task has underscore in its name? or spaces to be replaced by underscore

let me ask

03:00

ok

03:00

Image attachment

umm ok

idk what this means lol

Image attachment

so scheduled task is wrong? because i don't see it setting any task

03:15

it just clones to different files and edits autosart registry

its prob not a scheduled task from what he meant

ok he removed scheduled task from chall description

03:15

it is autorun then

yeah

https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET

03:16

idk what is required

03:16

keys are listed here

03:19

or is it technique name lmao

maybe yeah

03:20

its 2 words with space maybe

03:20

then replace w _

03:22

Image attachment

no idea

so its the persistent technique name?

what is he showing? answer is correct but format is wrong?

no i think format is Abc_Def as mentioned, he prob just saying we trying wrong format

ask him in any case

03:24

if it is just format issue

03:24

if he sent screenshot, answer should be correct

03:24

but wrong format

Image attachment

03:28

Image attachment

umm so what is required exactly?

technique name right

03:29

i asked if its technique name he said yes here?

like mitre technique id or something?

not id, string name

TA0003
Windows Service
T1543.003
Stop service
Start service
Registry Run Keys / Startup Folder
T1547.001
Persist via Run registry key
Winlogon Helper DLL
T1547.004
Persist via Winlogon Helper DLL registry key

03:31

these are persistence techniques being used

03:31

how do i phrase 2 words

Word1_Word2

am not sure if it is a technique name

03:32

you can phrase it differently

you can create a ticket and ask

bleh

seems no ticket

03:32

dm admin maybe

03:33

you tried all above not working?

yeah not working

ok ill ask

03:37

03:37

Image attachment

03:37

i need to sleep, dm admin if any issue

03:37

will wake up in 1 hour

bruh

Image attachment

04:51

Image attachment

what movement of malware!? these are well documented in various blogs

05:10

malware copies itself and then adds keys in RUN

05:11

also he told me to use modmail, so I gave up lol

no idea

05:19

crazyman blooded

05:19

you can just dm modmail

05:20

example : crew{Scheduled_tasks} (first letter of the first word is uppercase and the first letter of other is lowercase)

@Legoclones wants to collaborate

Image attachment

05:32

does this for persistence

seens they maxxed the series lol

i left, modmail is too annoying, sent a message now

idk what to ask lol

06:15

your questions are answered (edited)

fuck that, wasting time, for attack 11, idk wtf is format

whats your question to ask

06:21

i can ask

sahuang

example : crew{Scheduled_tasks} (first letter of the first word is uppercase and the first letter of other is lowercase)

i think this is format (edited)

for 11

06:22

this is the key

06:23

idk format

what key and value

06:24

didnt see it

06:24

Image attachment

06:24

lol

flag format should be the least of worries

06:25

why case sensitive too

@Guesslemonger which flag you had s at the end

don't even remember, i have multiple hits

should note down the attempts

bruh

Guesslemonger

used /ctf solve

✅ Challenge solved.

this is such shit

whats the change lol

Registry_key (edited)

06:28

whats ur prev try

06:28

keys?

yes

lmao

it's literally given in attack 11, key name

1

Exported 103 message(s)