Boss Of The SOC v1 Lab
Last updated
Last updated
Q2) Web Defacement: What content management system is imreallynotbatman.com likely using? (Please do not include punctuation such as . , ! ? in your answer. We are looking for alpha characters only.)
Answer: joomla
Q3) Web Defacement: What is the likely IP address of someone from the Po1s0n1vy group scanning imreallynotbatman.com for web application vulnerabilities?
Answer: 40.80.148.42
Q4) Web Defacement: What company created the web vulnerability scanner used by Po1s0n1vy? Type the company name. (For example, "Microsoft" or "Oracle")
Answer: acunetix
Q5) Web Defacement: What IP address is likely attempting a brute force password attack against imreallynotbatman.com?
Answer: 23.22.63.114
Q6) Web Defacement: What was the first brute force password used?
Answer: 12345678
Q7) Web Defacement: What is the name of the executable uploaded by Po1s0n1vy? Please include the file extension. (For example, "notepad.exe" or "favicon.ico")
Answer: 3791.exe
Q8) Web Defacement: What is the MD5 hash of the executable uploaded?
Answer: AAE3F5A29935E6ABCC2C2754D12A9AF0
Q9) Web Defacement: What was the correct password for admin access to the content management system running "imreallynotbatman.com"?
Answer: batman
Q10) Web Defacement: What is the name of the file that defaced the imreallynotbatman.com website? Please submit only the name of the file with the extension (For example, "notepad.exe" or "favicon.ico").
Answer: poisonivy-is-coming-for-you-batman.jpeg
Q11) Web Defacement: This attack used dynamic DNS to resolve to the malicious IP. What is the fully qualified domain name (FQDN) associated with this attack?
Answer: prankglassinebracket.jumpingcrab.com
Q12) Web Defacement: What IP address has Po1s0n1vy tied to domains that are pre-staged to attack Wayne Enterprises?
Answer: 23.22.63.114
Q13) Web Defacement: Based on the data gathered from this attack and common open-source intelligence sources for domain names, what is the email address most likely associated with the Po1s0n1vy APT group?
Using whoxy.com.
Answer: lillian.rose@po1s0n1vy.com
Q14) Web Defacement: GCPD reported that common TTP (Tactics, Techniques, Procedures) for the Po1s0n1vy APT group, if initial compromise fails, is to send a spear-phishing email with custom malware attached to their intended target. This malware is usually connected to Po1s0n1vy's initial attack infrastructure. Using research techniques, provide the SHA256 hash of this malware.
Answer: 9709473ab351387aab9e816eff3910b9f28a7a70202e250ed46dba8f820f34a8
Q15) Web Defacement: What is the special hex code associated with the customized malware discussed in the previous question?
Answer: 53 74 65 76 65 20 42 72 61 6e 74 27 73 20 42 65 61 72 64 20 69 73 20 61 20 70 6f 77 65 72 66 75 6c 20 74 68 69 6e 67 2e 20 46 69 6e 64 20 74 68 69 73 20 6d 65 73 73 61 67 65 20 61 6e 64 20 61 73 6b 20 68 69 6d 20 74 6f 20 62 75 79 20 79 6f 75 20 61 20 62 65 65 72 21 21 21
Q16) Web Defacement: One of Po1s0n1vy's staged domains has some disjointed "unique" whois information. Concatenate the two codes together and submit them as a single answer.
Answer: 31 73 74 32 66 69 6E 64 67 65 74 73 66 72 65 65 62 65 65 72 66 72 6F 6D 72 79 61 6E 66 69 6E 64 68 69 6D 74 6F 67 65 74
Q17) Web Defacement: One of the passwords in the brute force attack is James Brodsky's favorite Coldplay song. Hint: we are looking for a six-character word on this one. Which is it?
Answer: yellow
Q18) Web Defacement: What was the average password length used in the password brute-forcing attempt? (Round to a closest whole integer. For example "5" not "5.23213")
Answer: 6
Q19) Web Defacement: How many seconds elapsed between the brute force password scan identified the correct password and the compromised login? Round to 2 decimal places.
Answer: 92.17
Q20) Web Defacement: How many unique passwords were attempted in the brute force attempt?
Answer: 412
Q21) Ransomware: What fully qualified domain name (FQDN) makes the Cerber ransomware attempt to direct the user to at the end of its encryption phase?
Answer: cerberhhyed5frqa.xmfir0.win
Q22) Ransomware: What was the most likely IP address of we8105desk in 24AUG2016?
Answer: 192.168.250.100
Q23) Ransomware: Amongst the Suricata signatures that detected the Cerber malware, which one alerted the fewest number of times? Submit ONLY the signature ID value as the answer. (No punctuation, just 7 integers.)
Answer: 2816763
Q24) Ransomware: The VBScript found in question 25 launches 121214.tmp. What is the ParentProcessId of this initial launch?
Answer: 3968
Q25) Ransomware: During the initial Cerber infection a VB script is run. The entire script from this execution, pre-pended by the name of the launching .exe, can be found in a field in Splunk. What is the length in characters of the value of this field?
Answer: 4490
Q26) Ransomware: The malware downloads a file that contains the Cerber ransomware crypto code. What is the name of that file?
Answer: mhtr.jpg
Q27) Ransomware: Now that you know the name of the ransomware's encryptor file, what obfuscation technique does it likely use?
Answer: steganography
Q28) Ransomware: What is the name of the USB key inserted by Bob Smith?
Answer: MIRANDA_PRI
Q29) Ransomware: Bob Smith's workstation (we8105desk) was connected to a file server during the ransomware outbreak. What is the IP address of the file server?
Answer: 192.168.250.20
Q30) Ransomware: How many distinct PDFs did the ransomware encrypt on the remote file server?
Answer: 257
Q31) Ransomware: The Cerber ransomware encrypts files located in Bob Smith's Windows profile. How many .txt files does it encrypt?
Answer: 406
Q32) Ransomware: What was the first suspicious domain visited by we8105desk in 24AUG2016?
Answer: solidaritedeproximite.org
