Advent Of Cyber Day 23 (The Grinch Strikes back)
So Let’s get straight to the point.
Open Remmina and do a few changes as shown in the task .
Now we see a ransomNote file on the Desktop .After opening it, we see this
The bitcoin address is encrypted in base64 (I know because of the last two == signs)
After decrypting it in cyberchef,
So, now we know the answer to Question 1.
Now , I went to the file explorer ,then the Documents and I see two folders there
- db
- Vstockings
I went to the Vstockings folder and found files (3) elf1,elf2,elf3 and inside these I found
So, here is the answer to the 2nd Question.
Now, going to the task scheduler , I see two tasks in the library
So, here Is the answer to 3rd Question(name of the suspicious scheduled task?) .
Now after clicking on opidsfsdf.exe , and seeing the triggers , i see “At log on”
and as our 4th Question was find the location of executable (.exe ) run at login.
Now , i clicked Actions and saw the location of the file.
So, we have answered 4 Questions now.
Now Let’s see the ShadowCop.. task
Now, we see It’s Id and we have answered the 5th Question as well.
Now Let’s find the hidden folder .
I opened the command prompt and typed “powershell” (as we all are using it from the last few tasks so )
Now, i went to the location of Documents and typed “Get-child-item -hidden”
Now , we see the hidden folder and that answers the 6th Question.
Now let’s cd into that folder and see if there is any hidden file and i saw a master-password.txt and let’s “cat”( command for displaying the content) the file.
And now we have answered the 7th(last) Question andcompleted Today’s task .
U can also do Q6,7 from file explorer but i prefer terminal .
Thankyou for watching my writeup and have a nice day.
