Lockpick

Scenario

Forela needs your help! A whole portion of our UNIX servers have been hit with what we think is ransomware. We are refusing to pay the attackers and need you to find a way to recover the files provided.

The sherlock archive contains the following:

A .zip file, bescript.zip, containing bescrypt3.2 (the actual malware)
A forela_criticaldata/ directory containing samples of encrypted files and ransom notes
- Encrypted files have a .24bes extension.

Tasks

Please confirm the encryption key string utilised for the encryption of the files provided?

Loading the bescrypt3.2 malware into Ghidra revealed that it the program was invoking a process_directory function directly from main:

undefined8 main(void)

{
  process_directory("/forela-criticaldata/","bhUlIshutrea98liOp");
  return 0;
}

We have recently recieved an email from wbevansn1@cocolog-nifty.com demanding to know the first and last name we have him registered as. They believe they made a mistake in the application process. Please confirm the first and last name of this applicant.

There is a co2_London CSV file in forela_criticaldata/ which has avoided getting encrypted as it's missing the .csv extension. The file appears to contain customer info, though there are no entries for wbevansn1@cocolog-nifty.com. It's likely that the entry in question is in one of the encrypted files.

Disassembling bescrypt3.2 in Ghidra revealed the logic behind the encrypt_file function used for encrypting files:

...
  f = fopen(fname,"rb");
  if (f == (FILE *)0x0) {
    printf("Error opening file: %s\n",fname);
  }
  else {
    fseek(f,0,2);
    seekpos = ftell(f);
    rewind(f);
    strptr = (astruct *)malloc(seekpos);
    fread(strptr,1,seekpos,f);
    fclose(f);
    for (i = 0; uVar1 = i, (long)i < (long)seekpos; i = i + 1) {
      cursor = strptr[i];
      keylen = strlen(key);
      strptr[i] = (astruct)((byte)cursor ^ key[uVar1 % keylen]);
    }
    snprintf(encfile,0x400,"%s.24bes",fname);
    f = fopen(encfile,"wb");
    fwrite(strptr,1,seekpos,f);
    fclose(f);
 ...

The for loop in encrypt_file is responsible for actually encrypting a file by reading the source one character at a time, then XORing it with a character in the key. The position of the character in the key is found by calculating the modulus of the key length and current position in the file. This ensures that the index in key is a valid number.

The above can be confirmed by having bescrypt3.2 encrypt the unencrypted co2_London file and comparing the first few bytes with the source file:

Before encryption:

1
2
3

$ head -n1 co2_London |xxd
00000000: 2069 643d 312c 6669 7273 745f 6e61 6d65   id=1,first_name
...

After encryption:

1
2
3

 $ head -n1 /forela-criticaldata/co2_London.csv.24bes | xxd
00000000: 4201 3151 785f 0e1c 0601 113e 5759 010c   B.1Qx_.....>WY.
...

For the first byte (0x20), i = 0 and uVar1 = 0. This gives key[uVar1 % keylen] = key[0 % 18] = key[0]. Calculating the XOR of 0x20 and key[0] produces the expected result:

1 2	`>>> hex(0x20 ^ ord(key[0%18])) '0x42'`

Since the encryption is done using a simple XOR, reconstructing the plaintext is therefore just a matter of reversing the operation by calculating the XOR of the key and ciphertext:

1 2	`>>> hex(0x42 ^ ord(key[0%18])) '0x20'`

Wrote the following Go program for decrypting an encrypted file passed as an argument using the method above:

package main

import (
    "bufio"
    "fmt"
    "os"
    "path/filepath"
    "strings"
)

func main() {
    source, err := os.Open(os.Args[1])
    destpath := strings.TrimSuffix(os.Args[1], filepath.Ext(os.Args[1]))
    dest, err := os.Create(destpath)

    i := 0
    readbuf := bufio.NewReader(source)
    writebuf := bufio.NewWriter(dest)
    buf := make([]byte, 0)
    key := "bhUlIshutrea98liOp"

    if err != nil {
        fmt.Printf("%v\n", err)
        os.Exit(1)
    }

    for {
        enc_b, err := readbuf.ReadByte()
    if err != nil {
            break
        }
        dec_b := enc_b ^ key[i%len(key)]
        buf = append(buf, dec_b)
        i++
    }
    writebuf.Write(buf)
    writebuf.Flush()
}

Found the email in question in forela_uk_applicants.sql after decrypting it:

...
(830,'Walden','Bevans','wbevansn1@cocolog-nifty.com','Male','Aerospace Manufacturing','2023-02-16'),
...

What is the MAC address and serial number of the laptop assigned to Hart Manifould?

This information is likely found in it_assets.xml, though searching through the file proved difficult as it's a 6.6 MB file on a single line. Most text editors crashed when attempting to load the file, though vim was able to load and search in it.

Alternatively, grep can also search the file and print a specified number of characters before and after a match:

1
2

$ grep -E -o ".{0,400}Hart Manifould.{0,200}" forela-criticaldata/it_assets.xml
>1/11/2023</last_patch_date><patch_status>failed</patch_status><assigned_to>Filmer Aylin</assigned_to><location>Room 477</location></record><record><asset_id>501</asset_id><MAC>E8-16-DF-E7-52-48</MAC><asset_type>laptop</asset_type><serial_number>1316262</serial_number><purchase_date>8/3/2022</purchase_date><last_patch_date>1/6/2023</last_patch_date><patch_status>pending</patch_status><assigned_to>Hart Manifould</assigned_to><location>Room 1156</location></record><record><asset_id>502</asset_id><MAC>52-A9-34-5B-DD-7B</MAC><asset_type>desktop</asset_type><serial_number>1022952</serial_number><purchase_date>7/

After cleaning up the output above, the actual record entry is:

<record>
    <asset_id>501</asset_id>
    <MAC>E8-16-DF-E7-52-48</MAC>
    <asset_type>laptop</asset_type>
    <serial_number>1316262</serial_number>
    <purchase_date>8/3/2022</purchase_date>
    <last_patch_date>1/6/2023</last_patch_date>
    <patch_status>pending</patch_status>
    <assigned_to>Hart Manifould</assigned_to>
    <location>Room 1156</location>
</record>

What is the email address of the attacker?

From the ransom notes: bes24@protonmail.com

City of London Police have suspiciouns of some insider trading taking part within our trading organisation. Please confirm the email address of the person with the highest profit percentage in a single trade alongside the profit percentage.

This data is found in trading-firebase_bkup.json. Used the following Python script to load the data and sort it by profit margin:

#!/usr/bin/env python3

import json
import sys

with open(sys.argv[1], 'r') as f:
    data = json.load(f)
    top = sorted(data.items(), key=lambda x: x[1]["profit_percentage"])

    for k,v in top:
        print(v["email"],end=', ')
        print(v['profit_percentage'])

The json module does some rounding on float values. Got the correct value by looking up the email address found by the script (fmosedale17a@bizjournals.com) corresponding to the highest profit margin.

Our E-Discovery team would like to confirm the IP address detailed in the Sales Forecast log for a user who is suspected of sharing their account with a colleague. Please confirm the IP address for Karylin O'Hederscoll.

Found in sales_forecast.xslx

Which of the following file extensions is not targeted by the malware? .txt, .sql,.ppt, .pdf, .docx, .xlsx, .csv, .json, .xml

From the process_directory function in bescrypt3.2:

...
        else if ((local_18->d_type == '\b') &&
                (((((pcVar2 = strstr(local_18->d_name,".txt"), pcVar2 != (char *)0x0 ||
                    (pcVar2 = strstr(local_18->d_name,".sql"), pcVar2 != (char *)0x0)) ||
                   (pcVar2 = strstr(local_18->d_name,".pdf"), pcVar2 != (char *)0x0)) ||
                  ((pcVar2 = strstr(local_18->d_name,".docx"), pcVar2 != (char *)0x0 ||
                   (pcVar2 = strstr(local_18->d_name,".xlsx"), pcVar2 != (char *)0x0)))) ||
                 ((pcVar2 = strstr(local_18->d_name,".csv"), pcVar2 != (char *)0x0 ||
                  ((pcVar2 = strstr(local_18->d_name,".json"), pcVar2 != (char *)0x0 ||
                   (pcVar2 = strstr(local_18->d_name,".xml"), pcVar2 != (char *)0x0)))))))) {
          printf("Encrypting: %s\n",fname);
          encrypt_file(fname,key);
...

.ppt is not in the list of extensions that gets encrypted.