Oski (CyberDefenders)

Scenario

The accountant at the company received an email titled "Urgent New Order" from a client late in the afternoon. When he attempted to access the attached invoice, he discovered it contained false order information. Subsequently, the SIEM solution generated an alert regarding downloading a potentially malicious file. Upon initial investigation, it was found that the PPT file might be responsible for this download. Could you please conduct a detailed examination of this file?

https://cyberdefenders.org/blueteam-ctf-challenges/oski/

hash :

a040a0af8697e30506218103074c7d6ea77a84ba3ac1ee5efae20f15530a19bb

1- Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?

2022-09-28 17:40

Screenshot 2025-07-08 062840.png

Submit the hash to Virus Total and go to Details → History

2- Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?http://171.22.28.221/5c06c05b7b34e8e6.php

Screenshot 2025-07-08 062948.png

in Relations → Contacted URLs

3- Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?

Scenario

1- Determining the creation time of the malware can provide insights into its origin. What was the time of malware creation?

2022-09-28 17:40

2- Identifying the command and control (C2) server that the malware communicates with can help trace back to the attacker. Which C2 server does the malware in the PPT file communicate with?http://171.22.28.221/5c06c05b7b34e8e6.php

3- Identifying the initial actions of the malware post-infection can provide insights into its primary objectives. What is the first library that the malware requests post-infection?

sqlite3.dll