Suspicious USB Attack — Blue Team Lab Online

 Today, I will be tackling a Digital Forensics challenge on Blue Team Labs online.

Link to question — https://blueteamlabs.online/home/challenge/suspicious-usb-stick-2f18a6b124 (You will need to make an account)

Tools used —

1- Virus total

2- Hex Editor (cmd version)

3- pdf parser

I utilized the terminal to extract the contents using the password “btlo” While you can also opt to right-click on the file for extraction, I prefer utilizing the terminal as it allows me to practice and reinforce my command skills.

The BTLO folder contains another zip file named USB.zip. Extract this file using the password “infected” as provided in the specific question instructions.

Questions :

What file is the autorun.inf running?
Answer - Readme.pdf

Explanation: This task is quite straightforward. All you need to do is open the autorun.inf file.

Does the pdf file pass virustotal scan? (No malicious results returned) 
Answer - False  

Explanation: Simply visit the VirusTotal website and upload the readme.pdf file. VirusTotal flagged it as suspicious, leading to the conclusion that the answer is false.

Does the file have the correct magic number?
Answer - True

Explanation: Firstly, let’s understand what a Magic number is. These are predetermined hexadecimal values specific to file types. Different file formats such as png, pdf, jpg have distinct magic numbers.

In this case, we can use either a hex editor GUI or the terminal. Using the terminal, initiate a conversation with ChatGPT to obtain the magic number for a PDF file, which is found to be hex 25 50 44 46. Now, execute the following command and compare the obtained hex values.

Comparing the values we notice it has not been altered.

What OS type can the file exploit? (Linux, MacOS, Windows, etc) 
Ans - Windows

Explanation: To address this, upload the file to VirusTotal and navigate to the behavior section, specifically focusing on shell commands. By examining the commands, it becomes evident that the file is designed for Windows.

A Windows executable is mentioned in the pdf file, what is it? 
Answer - cmd.exe 

Since the indication is that a Windows executable is mentioned within the PDF, it implies that it might be hidden. To uncover it, examine the PDF file using the `strings` command and employ `grep` with “.exe” to search for occurrences, considering our knowledge that it is an executable file.

Strings Readme.pdf | grep "exe"

How many suspicious /OpenAction elements does the file have?
Answer - 1

Executable files are always flagged by antivirus tools and are increasingly treated as suspicious and untrusted by default. PDF files are instead treated with less suspicion and attackers often use them to trick targets into running malicious code, to obtain an initial foothold into their machines.

Code obfuscation and other techniques are used in malicious PDF files to bypass antiviruses. Therefore, in case of suspicion, it is useful to check the file manually.

Luckily for us, PDFs can identify suspicious elements, which we can identify by using pdf-parser.py.This is a CLI tool, that can pull out the information we want. Download it

Syntax — python3 pdf-parser.py <readme.pdf>

Running the script we get the answer as 1

That’s all for this article.

Thank You for Reading.