Cyber Defenders Phishy Walkthrough

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

What is the AD1 file?
AD1 filename suffix is mostly used for Forensic Toolkit FTK Imager Image files. Forensic Toolkit FTK Imager Image format was developed by AccessData Group, LLC..AD1 files are supported by software applications available for devices running Windows.

HINT: the AD1 file format does not directly support autopsy. So check their setup guide before you start

Q1__) What is the hostname of the victim machine?

HINT : windows →system32 → config → SYSTEM → CurrentControlSet001 → Control → ComputerName

ANS : WIN-NF3JQEU4G0T

Q2___)What is the messaging app installed on the victim machine?

HINT : Users →Semah → Check Downloads /AppData

ANS : Whatsapp

Q3___) The attacker tricked the victim into downloading a malicious document. Provide the full download URL.

HINT : Users →Semah →AppData →whatsapp →Databases →msgstore.db(Export it )Open the file in whatsapp viewer .check the msg

ANS : http://appIe.com/IPhone-Winners.doc

Q4___) Multiple streams contain macros in the document. Provide the number of the highest stream.

HINT : go to FTK imager →open the user folder semah → download →export the doc

use oldedump.py to find the largest macro stream

ANS : 10

Q5__)The macro executed a program. Provide the program name?

HINT : use olevba

Here it useses the characterstring obfuscation.

use the — deobf

Read the article