HTB Sherlock - Detroit becomes Human Writeup
Sherlock Scenario
Alonzo Spire is fascinated by AI after noticing the recent uptick in usage of AI tools to help aid in daily tasks. He came across a sponsored post on social media about an AI tool by Google. The post had a massive reach, and the page that posted it had 200k+ followers. Without any second thought, he downloaded the tool provided via the post. However, after installing it, he couldn’t find the tool on his system, which raised his suspicions. A DFIR analyst was notified of a possible incident on Forela’s sysadmin machine. You are tasked with helping the analyst analyze the true source of this odd incident.
Artefacts
After unpacking the received ZIP archive, we obtain a copy of files from the C drive. Among them are Prefetch files, event logs, several user home directories, and an MFT file. In total, we have 492 different types of files at our disposal to solve the tasks (Fig. 1). In my opinion, this is one of the smaller amounts I’ve encountered when working on this type of challenge.
Solution
Task 1
What is the full link of a social media post that is part of the malware campaign and was unknowingly opened by Alonzo Spire?
Since the user visited a post on social media, I immediately started by locating the files responsible for the browser history. In the directory C/Users/alonzo.spire/AppData/Local/Microsoft/Edge/User Data/Default
, I found the History
file for the Edge browser. From there, it was fairly straightforward. In the urls
table, in row 21, I found the first link leading to the social media post visited by the user. The title column confirmed that this was a post about a new AI tool (Fig. 2).
Answer: https://www.facebook.com/AI.ultra.new/posts/pfbid0BqpxXypMtY5dWGy2GDfpRD4cQRppdNEC9SSa72FmPVKqik9iWNa2mRkpx9xziAS1l
Task 2
Can you confirm the timestamp in UTC when Alonzo visited this post?
In the same row, in the last_visit_time
column, which informs about the user’s last visit to the given URL, I found the value 13355296200136503
. This is a timestamp recorded in the WebKit/Chrome format. Using the epochconverter tool, I converted this timestamp to a standard format and obtained the answer.
Answer: 2024-03-19 04:30:00
Task 3
Alonzo downloaded a file on the system thinking it was an AI Assistant tool. What is the name of the archive file downloaded?
In the same file (History
), in the downloads
table, there is the full path to the RAR archive downloaded by the user. The archive’s name includes “AI Gemini,” which directly suggests the answer (Fig. 3).
Answer: AI.Gemini Ultra For PC V1.0.1.rar
Task 4
What was the full direct URL from where the file was downloaded?
From the previous task, I know that the ID for the downloaded RAR file is 5. In the next table, downloads_url_chains
, there are four entries for this same ID. This indicates that before the user ultimately downloaded the software, they were redirected three times. The last entry is the URL from which the RAR file was downloaded (Fig. 4).
Answer: https://drive.usercontent.google.com/download?id=1z-SGnYJCPE0HA_Faz6N7mD5qf0E-A76H&export=download
Task 5
Alonzo then proceeded to install the newly downloaded app, thinking that it’s a legit AI tool. What is the true product version which was installed?
I have to admit, I only solved this task after completing task 6. After detecting the event related to the installation of the malicious software, I decided to search for events related to the Binary
value. Using the command chainsaw search '7B41424332434530312D373841352D343535342D413332412D3434303241344538334242337D' --skip-errors C/Windows/System32
, I searched through all the events again. As a result, I found only two events, and in the first one, the version I was looking for was provided (Fig. 5).
Answer: 3.32.3
Task 6
When was the malicious product/package successfully installed on the system?
The Windows event ID that informs about the successful installation of new software on the system is 11707. Using the command chainsaw search -t 'Event.System.EventID: =11707' --skip-errors C/Windows/System32
, I found 18 events. However, on the day the user downloaded the malicious software, there was only one event related to software installation (Fig. 6).
Answer: 2024-03-19 04:31:33
Task 7
The malware used a legitimate location to stage its file on the endpoint. Can you find out the Directory path of this location?
Using the command MFTECMD.exe -f "$MFT" --csv ". ---csvf mft.csv"
, I processed the MFT file into CSV format and then used Timeline Explorer for further analysis. Knowing the time of the malicious software installation and considering the upcoming tasks, I assumed that the installer would install a PowerShell script. Among the results, only one entry stood out, namely ru.ps1
(Fig. 7).
Answer: C:\Program Files (x86)\Google
Task 8
The malware executed a command from a file. What is the name of this file?
While analyzing the contents of the directory, I noticed that there was an additional file named install.cmd
in the main directory (Fig. 8).
Answer: install.cmd
Task 9
What are the contents of the file from question 8? Remove whitespace to avoid format issues.
I previewed the contents of the file using MFTExplorer (Fig. 9).
Answer: @echooffpowershell-ExecutionPolicyBypass-File"%~dp0nmmhkkegccagdldgiimedpic/ru.ps1
Task 10
What was the command executed from this file according to the logs?
Using the command chainsaw search 'ru.ps1' --skip-errors C/Windows/System32
, I searched for all events related to the ru.ps1
script. In total, I found 8 events, each containing the same command line (Fig. 10).
Answer: powershell -ExecutionPolicy Bypass -File C:\Program Files (x86)\Google\Install\nmmhkkegccagdldgiimedpic/ru.ps1
Task 11
Under the malware staging directory, a JS file resides which is very small in size. What is the hex offset for this file on the filesystem?
In the malware directory, I found two JS files: background.js
and content.js
. Of these two files, content.js
turned out to be smaller. In the Overview
tab, I found information about the file’s offset (Fig. 11).
Answer: 3E90C00
Task 12
Recover the contents of this JS file so we can forward this to our RE/MA team for further analysis and understanding of this infection chain. To sanitize the payload, remove whitespaces.
Similar to how I previewed the contents of the install.cmd
file, I used MFT Explorer to view the contents of the content.js
file (Fig. 12).
Answer: varisContentScriptExecuted=localStorage.getItem('contentScriptExecuted');if(!isContentScriptExecuted){chrome.runtime.sendMessage({action:'executeFunction'},function(response){localStorage.setItem('contentScriptExecuted',true);});}
Task 13
Upon seeing no AI Assistant app being run, Alonzo tried searching for it in File Explorer. What keywords did he use to search?
At first, I wasn’t sure how to approach this, as it was the first time I’d encountered this type of question in Sherlock. To find the answer, I referred to this article. Using Registry Explorer, I opened the NTUSER.DAT file for the user Alonzo, and then under the Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
entry, I found the answer to this and the following tasks (Fig. 13).
Answer: Google Ai Gemini tool
Task 14
When did Alonzo search for it?
I found the answer to this question while solving Task 13.
Answer: 2024-03-19 04:32:11
Task 15
After Alonzo could not find any AI tool on the system, he became suspicious, contacted the security team, and deleted the downloaded file. When was the file deleted by Alonzo?
I returned to Timeline Explorer once again. This time, I set the filter to all RAR files and deleted files. According to the chronology, only one RAR file was deleted (Fig. 14).
Answer: 2024-03-19 04:34:16
Task 16
Looking back at the starting point of this infection, please find the MD5 hash of the malicious installer.
Using the discovered installer name Google AI Gemini Ultra For PC V1.0.1.msi
(Fig. 15), I searched for information and found the answer at this link (Fig. 16).
Answer: BF17D7F8DAC7DF58B37582CEC39E609D