CAF 2023 - I Warn You

In this article, we will explore the step-by-step walkthrough of the Forensic challenge ‘I Warn You!’ presented at the CTF Cyber Africa Forum 2023.

Challenge Description

Instructions

(1) What is the malware name detected by McAfee that was bonded in the exe? (2) Find out the established malicious connection ASN Owner name? Flag Format: CAF_{answer1_answer2} Note 1: Don’t run the exe file in your main machine. This is a malicious file and set for the CTF task. Note 2: The format of the flag is not case sensitive

Challenge File

Here is the challenge file: here

To solve this challenge, we will use Virustotal.com and the WHOIS records of the IP address we will discover.

Malware Analysis

VirusTotal Analysis

By uploading the challenge_file.exe file to VirusTotal, we get this result:

We have the first answer which is Artemis, this is the virus name.

Network Behavior Analysis

By redirecting to the BEHAVIOR section of virustotal.com, we can see that the malicious connection is made to 20.99.133.109:443 (TCP).

ASN Owner Identification

To find the AS (Autonomous System) name that manages this host, we will use arin.net, but first we need to find the ASN (Autonomous System Number) to identify the AS, which we will do with Shodan.

What is ARIN?

ARIN is responsible for managing and distributing IP addresses and AS numbers (Autonomous System) for the United States, Canada, and surrounding regions. IP addresses are unique numeric identifiers assigned to each device connected to the Internet to enable communication and data exchange.

Finding the ASN with Shodan

Let’s start by providing the IP address 20.99.133.109 to Shodan:

Shodan link: here

We can find the identifier AS8075 which will allow us to do more research on the ASN.

Finding the ASN Owner with ARIN

By searching for AS8075 on whois.arin.net , we get the following result:

The second answer is MICROSOFT-CORP-MSN-AS-BLOCK.

Flag

By respecting the requested flag format, we get:

CAF_{Artemis_MICROSOFT-CORP-MSN-AS-BLOCK}