Forensic Challenge 14 – “Weird Python“

Forensic Challenge 14 – “Weird Python“ (provided by Thomas Chopitea and Maximilian Hils)

Skill Level: Both entry- and intermediate-level tasks

For any questions and inquiries, please contact fc-questions@honeynet.org.

Background

Your boss John went to a BYOD conference lately. Yeah, he's that kind of security guy... After some mumble about targeted attacks happening during the event, your team finally got their hands on a PCAP with his traffic. Your colleague Pete Galloway investigated the incident. Yesterday, he casually mentioned that he found some weird Python bytecode, but couldn't make much sense out of "random" payloads yet. Today, Pete didn't come to work. Five minutes ago, he sent a company-wide mail with a total of four words: “Fuck you, I quit.“. What has happened!?

Prizes

Just in time for the Honeynet Workshop in Stavanger, we have the following prizes for the best submissions:

  1. 1st Prize: Ticket for the full workshop (3 days), including 3 nights of hotel (Value: ~3000 USD)
  2. 2nd Prize: Ticket for the full workshop (3 days) (Value: 2450 USD)
  3. 3rd Prize: Two tickets for the first day (Value: 1380 USD)

(Obligatory legal disclaimer: The prizes cannot be exchanged for the cash equivalent)

The Winners

See the blog post!

Files

conference.pcapng (mirror)

Write-Up

You can view a crowd-sourced write-up compiled from the submissions we received here.
If you are interested in using the challenge for educational purposes, let us know and we are happy to remove this part temporarily.

Submission Sheet

Name (required):
Email (required):
Country:
Profession (Professional/Student/Other):

Questions

For each question, please explain your methodology (How did you get the answer? Which tools did you use?). Submissions will be primarily rated by accuracy and quality.

  1. BYOD seems to be a very interesting topic. What did your boss do during the conference?
  2. What method did the attacker use to infect your boss? Which systems (i.e. IP addresses) are involved?
  3. Based on the PCAP, which files were exfiltrated? List the filenames.
  4. Can you sketch an overview of the general actions performed by the malware?
  5. Do you think this is a targeted or an automated attack? Why?
  6. The malware seems to be written in Python. Is this "normal" Python? What's different?
  7. What does main.pyc do? (Bonus: Can you provide a decompiled version?)
  8. How is the final payload protected? How is it decrypted by the dropper? (Bonus: Can you provide a decompiled version?)
  9. Why did Pete leave the company?
  10. Your boss mentioned he's going to the Honeynet Workshop in Stavanger, but you're not allowed to join him. Why so?
  11. Bonus: There are five superheroes hidden in the challenge. Which of them did you find?
  12. Optional (not rated, feel free to submit separately): Please provide some feedback on the challenge! What did you like/dislike?

This work by Thomas Chopitea and Maximilian Hils is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Unported License.