4ensiX

FPと言ったものはFPを選んだが表示はTPになっていることに気づいた。

LetsDefend Challenge Malware Analysis: Remote Working

LetsDefend Malware

LetsDefend Challenge Malware Analysis: Remote Working

What is the date the file was created?
With what name is the file detected by Bitdefender antivirus?
How many files are dropped on the disk?
What is the sha-256 hash of the file with emf extension it drops?
What is the exact url to which the relevant file goes to download spyware?

What is the date the file was created?

貰ったファイルにexiftoolを使った．

$ exiftool ORDER\ SHEET\ \&\ SPEC.xlsm
(snip)
Create Date                     : 2020:02:01 18:28:07Z

A: 2020-02-01 18:28:07

With what name is the file detected by Bitdefender antivirus?

virus totalで貰ったファイルのハッシュを検索する．

https://www.virustotal.com/gui/file/7bcd31bd41686c32663c7cabf42b18c50399e3b3b4533fc2ff002d9f2e058813/detection

A: Trojan.GenericKD.36266294

How many files are dropped on the disk?

virus totalでは分からなかったので，JoeSandboxで検索する．

C:\ProgramData\Podaliri4.exe

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6D84E1CF.png

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\8EEEF184.emf

おそらく以上の3つのファイル．
A: 3

What is the sha-256 hash of the file with emf extension it drops?

先ほど挙げたemfファイルのsha256
A: 979DDE2AED02F077C16AE53546C6DF9EED40E8386D6DB6FC36AEE9F966D2CB82

What is the exact url to which the relevant file goes to download spyware?

先ほどの，Podaliri4.exeをどこからダウンロードしてきたかということだと思うので．

virus total -> relations

Answer