2024 Cyber Apocalypse: Confinement

#htb #ctf #forensics #disk-image #ransomware #decryption #windows-defender

Challenge Information

AttributeDetails
Event2024 Cyber Apocalypse
CategoryForensics
ChallengeConfinement
DifficultyHard

Summary

Confinement is a challenging forensics investigation involving a ransomware attack on a Windows system. The challenge requires analyzing a disk image (AD1 format), examining Windows Defender quarantine, extracting and analyzing the C# ransomware binary, understanding its encryption algorithm, and finally decrypting the victim’s files.

Analysis

Attack Timeline

Based on event logs:

  • 17:41 - Initial compromise via PowerShell
  • 15:45-15:48 - Defender warnings (mimikatz.exe, fscan64.exe blocked)
  • 18:05:17 - Ransomware extraction and execution
  • 18:07:24 - Attacker exit

Encrypted Files Location

\Users\tommyxiaomi\Documents\Work\ - Contains encrypted files

Investigation Steps

1. Event Log Analysis

  • Use chainsaw to hunt critical events
  • Identify intel.exe as the ransomware
  • Extract PowerShell command logs
  • Timeline shows attack progression

2. Windows Defender Quarantine

  • Location: C:\ProgramData\Microsoft\Windows Defender\Quarantine
  • ResourceData folder contains encrypted binaries
  • Default RC4 key decrypts quarantine files
  • Analyze extracted ransomware binary

3. Ransomware Analysis

  • .NET executable - decompile with dnSpy
  • Extract encryption algorithm (Rijndael/AES)
  • Identify password generation method
  • Locate hardcoded salt and user ID

Solution

Step 1: Mount and Analyze Disk Image

Terminal window
# Mount AD1 image
xmount --in ewf --out dd forensics_confinement.ad1 /mnt/forensics


# Access Windows Defender quarantine
cd /mnt/forensics/ProgramData/Microsoft/Windows\ Defender/Quarantine/ResourceData

Step 2: Extract from Quarantine

Use public scripts or manual RC4 decryption:

from Crypto.Cipher import ARC4


# Default RC4 key from Windows Defender
KEY = b'\x45\x00\x3C\x37\x8D\xA8\x41\x31...'  # Full key needed


def decrypt_quarantine_file(encrypted_file_path):
    """Decrypt Windows Defender quarantine files"""
    with open(encrypted_file_path, 'rb') as f:
        data = f.read()


    cipher = ARC4.new(KEY)
    decrypted = cipher.decrypt(data)


    # Remove metadata (first and last few bytes)
    return decrypted[0x10:-0x20]  # Adjust offsets as needed

Step 3: Analyze Ransomware Binary

Decompile the extracted .NET binary using dnSpy or similar:

// Extracted from binary analysis:
string Hasher(string password)
{
    string text;
    using (SHA512CryptoServiceProvider sha512CryptoServiceProvider = new SHA512CryptoServiceProvider())
    {
        byte[] bytes = Encoding.UTF8.GetBytes(password);
        text = Convert.ToBase64String(sha512CryptoServiceProvider.ComputeHash(bytes));
    }
    return text;
}


string GetHashCode(string password, string salt)
{
    string text = password + salt;
    return Hasher(text);
}


// Encryption method
byte[] array2 = new byte[] { 0, 1, 1, 0, 1, 1, 0, 0 };
string salt = "0f5264038205edfb1ac05fbb0e8c5e94";
string uid = "5K7X7E6X7V2D6F";  // Extract from ransom note


string password = GetHashCode(uid, salt);
Rfc2898DeriveBytes rfc2898DeriveBytes = new Rfc2898DeriveBytes(password, array2, 4953);

Step 4: Generate Decryption Key

string uid = "5K7X7E6X7V2D6F";  // From ransom note
string salt = "0f5264038205edfb1ac05fbb0e8c5e94";


string password = GetHashCode(uid, salt);
byte[] key = rfc2898DeriveBytes.GetBytes(32);  // 256-bit key
byte[] iv = rfc2898DeriveBytes.GetBytes(16);   // 128-bit IV


RijndaelManaged rijndael = new RijndaelManaged();
rijndael.Key = key;
rijndael.IV = iv;
rijndael.Mode = CipherMode.CBC;
rijndael.Padding = PaddingMode.ISO10126;

Step 5: Decrypt Files

from Crypto.Cipher import AES
from Crypto.Protocol.KDF import PBKDF2
import hashlib


uid = "5K7X7E6X7V2D6F"
salt = bytes.fromhex("0f5264038205edfb1ac05fbb0e8c5e94")
rounds = 4953


# Generate password hash
password = (uid + salt_string).encode()
password_hash = hashlib.sha512(password).digest()
password_b64 = base64.b64encode(password_hash).decode()


# Derive key and IV
kdf = PBKDF2(password_b64, salt, 48, count=rounds, hmac_hash_module=hashlib.sha512)
key = kdf[:32]
iv = kdf[32:48]


# Decrypt file
cipher = AES.new(key, AES.MODE_CBC, iv)
with open('encrypted_file', 'rb') as f:
    encrypted_data = f.read()


decrypted = cipher.decrypt(encrypted_data)
# Remove padding
decrypted = decrypted[:-decrypted[-1]]


with open('decrypted_file', 'wb') as f:
    f.write(decrypted)

Step 6: Extract Flag

The decrypted file is likely an Excel workbook (.xlsx). Extract it:

Terminal window
unzip decrypted_file.xlsx
cat xl/worksheets/sheet1.xml | grep -o "HTB{[^}]*}"

Key Forensics Techniques

  • Disk Image Analysis: Mounting and exploring forensic images
  • Event Log Parsing: Understanding Windows Security and PowerShell logs
  • Quarantine Extraction: Recovering artifacts from Windows Defender
  • Binary Analysis: Reverse engineering .NET executables
  • Cryptanalysis: Understanding encryption algorithms and key derivation
  • Timeline Reconstruction: Building attack narrative from logs

Key Takeaways

  • Comprehensive forensic analysis requires multiple data sources
  • Windows Defender quarantine stores valuable malware artifacts
  • Event logs provide crucial timeline information
  • .NET binaries can be fully decompiled
  • Understanding the encryption algorithm enables decryption
  • Ransomware often uses deterministic password generation
  • Disk image analysis is fundamental to incident response

Flag: HTB{d3f3nd_1t_4ll}