Magnet Virtual Summit CTF

01 June 2020

I've really enjoyed doing the CTF run by Magnet Forensics as part of their virtual summit this year. Below you will find solutions for all but 2 of the questions. The details are quite brief otherwise the blog would become huge but if you'd like to see a more detailed write up of any of these please leave a comment or tweet me.

If you also participated in this CTF and you have better, easier or just different ways of doing these questions I would love to hear about them!

The 2 questions I haven't solved yet are the NFC tag one and the malware one. My thoughts on them so far are right at the bottom- if you've done them I'd love to chat to you about them. I don't have much experience with network forensics or reverse engineering so this is an area I'd like to learn more about.

Questions are in green

Answers are in blue

I was working on a Windows 10 machine and these are the tools I used*

(*that I can remember)

• AXIOM 4
• iLEAPP & ALEAPP
• APOLLO
• RegRipper
• Google Reverse Image Search
• DB Browser
• PListExplorer
• PEStudio
• Volatility (I used the executable that came bundled with AXIOM but you can also get it from the Volatility Foundation)
• Bulk Extractor
  
• CyberChef
• OpenStego
• Unfurl
  
• Windows built-in Event Viewer
• FTK Imager
• VirtualBox
  

------------------------------------Egg Hunt------------------------------------

For each level, please copy the NEW block of text located below the now decoded portion.

Puzzle text:

-----STARTS-----

Zpv ibwf gpvoe uif CMVF fhh! Uif ofyu qjfdf pg uif qvaamf jt: Mci vojs tcibr hvs UFSSB suu (gsqfsh kcfr = Cbwcb)... hvs bslh dwsqs ct hvs dinnzs wg : KK91WUvvraIuNa91paEurUvzWS9GEI5VFGPzN2qiZw4urUvzWU5zsVEuqUzzM2Iup2MurUvzWVP1sbdgNGPdqmOco2J5WR0upKTbpaJ0YHcYo29vWVJzp3SuNbJcqbquNavfWUJdrmPlN20iZw4uN2l4WVdzNUqurUXlM2guMacupLFzWVNcNVB4NGPjNxcYMaJ5rU9ho2SvWU5gpQPcqVz5rmPhNbcupLvjM2zlWU9arQ4iZwPhNbcupaT6swPzpRcuqav6qkcY

-----ENDS-----

What is the color of the first egg? BLUE

How is the ORANGE egg encoded? Base64

What was the key used to unock this cipher? magnet

What is the special word? Onion

What is the final message of the completed egg hunt? bean

Decoding:

ROT13 amount -1

Result:

You have found the BLUE egg! The next piece of the puzzle is: Lbh unir sbhaq gur TERRA rtt (frperg jbeq = Bavba)... gur arkg cvrpr bs gur chmmyr vf : JJ91VTuuqzHtMz91ozDtqTuyVR9FDH5UEFOyM2phYv4tqTuyVT5yrUDtpTyyL2Hto2LtqTuyVUO1racfMFOcplNbn2I5VQ0toJSaozI0XGbXn29uVUIyo3RtMaIbpaptMzueVTIcqlOkM20hYv4tM2k4VUcyMTptqTWkL2ftLzbtoKEyVUMbMUA4MFOiMwbXLzI5qT9gn2RuVT5foPObpUy5qlOgMabtoKuiL2ykVT9zqP4hYvOgMabtozS6rvOyoQbtpzu6pjbX

Decoding:

ROT13 amount 13

Result:
You have found the GREEN egg (secret word = Onion)... the next piece of the puzzle is : WW91IGhhdmUgZm91bmQgdGhlIE9SQU5HRSBlZ2cuLi4gdGhlIG5leHQgcGllY2Ugb2YgdGhlIHB1enpsZSBpcyAoa2V5ID0gbWFnbmV0KToKa29hIHVlb3EgZnVocncgZmhrIGVpdyBxZ20uLi4gZ2x4IHplZGcgdGJxY2sgYmogbXRlIHZoZHN4ZSBvZjoKYmV5dG9ta2EhIG5sbCBocHl5dyBtZnogbXhvY2lxIG9mdC4uLiBtZnogbmF6eiBlbDogcmh6cwoK

Decoding:

From Base64

Result:
You have found the ORANGE egg... the next piece of the puzzle is (key = magnet):
koa ueoq fuhrw fhk eiw qgm... glx zedg tbqck bj mte vhdsxe of:
beytomka! nll hpyyw mfz mxociq oft... mfz nazz el: rhzs

Decoding:

Vigenere Decode with key = magnet

Result:

you have found the red egg... the next piece of the puzzle is:
xlmtizgh! blf ulfmw gsv tlowvm vtt... gsv uozt rh: yvzm

Decoding:

Atbash Cipher

Result:

congrats! you found the golden egg... the flag is: bean

------------------------------------Android & Google Takeout ------------------------------------

Chester decided to use a covert app to communicate with Alan, to try to cover their tracks. What is the package name of the app? flag<com.full.package.name.here> (Do not include flag<>, just write out the package name) [Hint: https://youtu.be/wEv0zOeA2FU?t=152]
The clue is a clip from Jack Ryan in which they communicate with someone via a game. This suggests the “covert” app we are looking for is a game which leads us to: com.zynga.chess.googleplay

What is the username for the Zynga Chess app? 
Looking in the users tables of the app's database:

data\data\com.zynga.chess.googleplay\databases\wf_database.sqlite

Local user = chess.master.chester

Where did Chester get ramen in Norway? (Restaurant Name) Koie
Image of noodles with embedded geo found in Google Takeout:
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-09\IMG_20200309_172817.jpg



 What is the name of the file that this user attached/linked and emailed to Warren? Chestnut_CV.exe
 Gmail data from Google Takeout shows a thread with Warren:

While on spring break, Chester took a photo of a famous boat. What is the boat's name (2 words, ______ ship)?
Chester’s photo from Google Takeout(left):
takeout-20200329T181947Z-001.zip\Takeout\Google Photos\2020-03-08\IMG_20200308_144240.jpg


Reverse image search lead to a match with Wikipedia (right): Oseberg Ship

How many tweets did Chester tweet?
Identify local user ID via file naming convention of Twitter app:

MUS_Android.tar\data\data\com.twitter.android\shared_prefs\profile1230174369462267904.xml (so Local user id = 1230174369462267904)

Support that this is linked to Chester via MUS_Android.tar\data\data\com.twitter.android\shared_prefs\1230174369462267904.xml:

Filter for this author ID in AXIOM (Artifact view > Social Media > Twitter Tweets)



5 tweets have this author id

How much warmer is it going to be tomorrow in Burlington? 12
Visible at the end of a video shared via snapchat. (This video was initially of interest because it shows the matrix background mentioned in a separate question.)


Screenshot from the very end of this video:



What local port was Warren's computer listening on while connected to the IP 13.35.82.31 during the memory dump?
I used the computer’s RAM dump. Filter on “remote IP Address” within the netscan artifacts in AXIOM: port = 54281



What train station did Chester get directions to? Bergen
Google takeout “cloud google activity” where action = “directions”:


 
What was the path that Chesters train took? Flag format: A to B to C would be flag<ABC>, THERE ARE MORE THAN 3 POINTS THE TRAIN WENT THROUGH
Reference map:

 

Google Takeout geo viewed via AXIOM’s world map display:



The location of these points gives us the route and looking at points in each location gives timestamps from which to infer the direction of travel:

•     10/03 07:24 Oslo (N)
•     10/03 08:02 Dramen (M)
•     10/03 08:30 Amot (L)
•     10/03 08:57 Honesfoss (J)
•     10/03 10:19 Gol (H)
•     10/03 11:34 Finse (F)
•     10/03 12:42 Vossevagen (C)
•     10/03 13:55 Bergen (A) 

Route = NMLJHFCA

Unbeknownst to Chester and Alan, the app found in the question "Obfuscating Like a Pro" didn't store their chat logs securely. What is the chat message ID for where the target of the hack is declared?
In the app’s database (wf_database.db) the following message has chat_message_id = 18741612351



What was the first move made by Chester in Chester's Chess game? 

•     Flag is in chess notation (Ex. A1-B2)
•     Chess board for refence, assume white starts on rows 7 and 8: 

From wf_database users table: Chester’s user_id = 237046613

In the “moves” table the earliest move associated with this user is “createdAt” 2020-02-19T17:25:26Z. This is the second move listed in the table so Chester must have gone second, hence been black.



Chester’s move details:

•     Starting point: X1 = 4, Y1 = 1
•     Ending point: X2 = 4, Y2 = 3 

The details in the “data” column also provide a useful visualisation of the board previous to the current move which we can make more intuitive with some line breaks and spaces:


At the start of the first move:


At the start of Chester’s move (indicates what the previous move was and therefore that white is represented by capitals):


At the start of the move after Chester’s (indicates what Chester’s move was):


Transposing Chester’s move onto the board provided gives E2-E4.

To show of his leet hacker skills to Alan, Chester downloaded a farm-themed package for his terminal. What is the name of the package? Cowsay
From MUS_Android.tar\data\data\com.termux\files\home\.bash_history

3rd time lucky!


What does the cow say? hello alan
data\data\com.google.android.apps.messaging\cache\image_manager_disk_cache\06358f4841ae28d5135cc11dd8b1cee079c63b9eb882aa266b5eccfae70cc627.0



How many NHL (National Hockey League) Mascots are shown in the video? 12

• Video: MUS_Android.tar\data\data\com.twitter.android\cache\precache\200.0.1582346614153.v3.exo
• I also found GIF online which has a clearer view.
• And reference images of what the mascots look like.

Screenshots from video:

Mascots I spotted:


(I could only see the last 2 in the GIF online)

What did Chester set his emoji for the mutual best friend indicator in Snapchat to? You have 1 attempt at this [ Nerd 🤓 Vulkan Hand 🖖 Sunglasses 😎 Rock on 🤘]

MUS_Android.tar\data\data\com.snapchat.android\databases 

From core.db:


And main.db:


Chester configured a moving matrix background on his phone. What did Chester set the falling speed of the characters to? Demonstration video located at data/media/0/AzRecorderFree
From MUS_Android.tar\data\data\com.gulshansingh.hackerlivewallpaper\shared_prefs\com.gulshansingh.hackerlivewallpaper_preferences.xml: Falling speed = 50


What was the percentage likelihood that the Android user was walking on Fri Mar 6 2020 at 20:50:27 UTC

• Look at “Cloud Google Location History” information around the time of interest.
• "Activity confidence scores" use unix timestamps so 06/03/2020 20:50:27 = 1583527827739.
• There are location artefacts with timestamps either side of the time of interest:

Looking further at the activity confidence score information for these times gives a more granular breakdown. This timestamp shown below converts to Fri, 06 Mar 2020 20:50:27:



Chance of walking is 95%

What is the effective UID for the application used to create the Phisy Phish phish document?

Keyword search for “Phishy” leads us to MUS_Android.tar\data\data\com.evernote\files\logs\log_main.txt which suggests this is an Evernote file:

“2020-03-23 20:14:40.302 D/y: {RxCachedThreadScheduler-16} - getAction(): APPINDEX: Phishy Phish phish,https://www.evernote.com/shard/s350/nl/213777210/c80ab339-7bec-4b33-8537-4f5a5bd3dd25/” 

We can find the UID for Evernote in MUS_Android.tar\data\system\packages.list:

“com.evernote 10239 0 /data/user/0/com.evernote default:targetSdkVersion=28 3003 0 1083295”

------------------------------------iOS------------------------------------ 

What's the Apple ID email associated with this device? Flag should look like: flag<sally@mail.com> (Don't include flag<>)
From: iOS_Filesystem\private\var\mobile\Library\Accounts\Accounts3.sqlite 
abrunswick8675309@gmail.com

What tool was used to perform the acquisition on this device? Note: You only have 1 attempt.[EnCase/Magnet Axiom/Mobile Evidence Acquisition Toolkit/Cellebrite]
(MEAT.log accompanied the image.)

What is the name of this user's favourite city in Apple Maps?
Find Geo Bookmarks within Apple Maps directory:

p\v\m\Containers\Data\Application\B12F428E-3C86-42A6-B48D-297B63D9FFAC\Library\Maps\GeoBookmarks.plist

Decode content from Base64 to get Loserville

 
What medication is this user currently on?

View contents of medication info key within private\var\mobile\Library\MedicalID\MedicalIDData.archive: Lysergic acid diethylamide



What's the name of this device? Alan's Fantastical iPhone
iOS_Filesystem\private\var\preferences\SystemConfiguration\preferences.plist

 Parsed by AXIOM:

 
Parsed by iLEAPP:

 
What is the company associated with the contact "Chester Russell"? APT802
p\v\m\Library\AddressBook\AddressBook.sqlitedb

(AXIOM doesn’t open/preview/parse this due to “SQL logic error or missing database unknown tokenizer: ab_cf_tokenizer” but you can open it with DB Browser)

Chester Russel is also noted as a WhatsApp contact in ContactsV2.sqlite. The “ZSEARCHTOKENLIST” value is “apt802 Chester Russell”.

How many seconds did the user have Safari open between the hours of 12:00:00 and 20:00:00 on March 23rd, 2020? Only enter the number. 1039
From APOLLO output Apollo.db:

• Filter “Key” (day) to 23/03/2020
• Filter “Activity” to “Application in Focus”
• Filter Output to contains “com.apple.mobilesafari”
• Combine the number of seconds from each of the resulting matches between 12:00 and 20:00

 
Looks like a MineCraft server was hosted on this device?? Find the username of a player who has joined. Thad_Castle_
iOS_Filesystem\usr\dev\cuberite\Server\logs\LOG_1582671985.txt

 
What is the first IP address that this user targeted via a popular hacking tool?
From iOS_Filesystem\private\var\mobile\.msf4\history: 

RHOSTS specifies the target so the first IP targeted is 184.171.152.175

This user's Spotify playlist is looking a bit suspicious...?
Recently played info in com.spotify.client.plist:

Use this playlist ID in a Spotify URL: https://open.spotify.com/playlist/0TQqkkRJhco07VTmXjcBem which takes you to:

 Flag is song titles = Destroy Education Debt

What is the name of the computer that was used to sync with this device? DESKTOP-A108NFK
 \private\var\mobile\Media\iTunes_Control\iTunes\iTunesPrefs

 
ILEAPP parses this as a connected device:

 

How many applications have iOS Snapshots?
Filter “iOS_Filesystem.zip\iOS_Filesystem\private\var\mobile\Containers\Data\Application\” for folders named “Snapshots”. There are 88.

How many guests were registered in the trip to Disney? Warning: You only have 3 attempts at this.
\private\var\mobile\Containers\Data\Application\D9129FF2-0778-4569-9365-D5B23998B63C\Library\Itinerary_Object_Cache 

Open as a database in DB Explorer and export blob from ZDATA field:

 
View bplist in plistexplorer:

 Adults count = 6

------------------------------------Windows------------------------------------

When did the windows image acquisition start? Answer in YYYY-MM-DD HH:MM:SS
From DFA_Windos.E01.txt: “Image Information: Acquisition started:   Wed Apr 22 17:55:30 2020"
Answer: 2020-04-22 17:55:30

What is the user's phone number? (Format: 555-555-5555)
From Chrome autofill, grouped/sorted by “last used” timestamp: 802-265-5115

 
How many people won Quarterly Drawing 31?

• 1
• 10
• 100
• 1,000
• 10,000
• 100,000

 From https://vtlottery.2ndchanceplay.com/draws.html?t=2 : 100 winners

 
When did the user start working in their current position? (Example: flag<July 1776>) July 2014
There is evidence of LinkedIn usage on the Windows machine and in the RAM image.

Searching online for Warren Hamilton leads us to his profile: https://www.linkedin.com/in/warren-hamilton-3b87601a3/ which includes timestamps for his employment at Mallie Sae:

 
How many times did Warren sign in to his machine?
Parsed SAM file using RegRipper which shows “Login Count” = 24

 

What is the earliest created file associated with the following MD5: 3d908e1b40140c1e0167603ffca07701?
Processed case with AXIOM with file hashing enabled then used MD5 column filter in file system view. Based on comparison of creation dates the earliest created is AccessMUISet.msi.

 
How many dollars does the user CURRENTLY owe from gambling? Format 99,000

Users\Warren\DocumentsLoan Tracking\LoanBook4.xlsx

Calculate the total due minus the total paid: 16,080

How many dollars to directly buy in to the tournament on Sunday? $162
View the tournament details on the Ignition Casino website:
https://www.ignitioncasino.eu/promotions/150K-Guaranteed-poker-tournament

When was the image downloaded from www.sciencenews.org viewed? Format MM/DD/YYYY HH:MM:SS (24 hour clock) ex 05/12/2020 17:45:00 

From Chrome Downloads we can see that there is only one match from sciencenews.org and that the file downloaded was https://www.sciencenews.org/wp-content/uploads/2019/07/071019_MT_poker-ai_feat.jpg 

• Download start time: 18/02/2020 21:25:26
• Download saved to: C:\Users\Warren\Pictures\poker.jpg
• File size: 91324 B

A file is found in this location matching the filename and size noted in the Chrome Download details. It has last accessed time = 18/02/2020 21:25:26 and created time = 18/02/2020 21:25:36.

The last accessed timestamp is not a reliable source of a file’s last access time so we must look elsewhere for indications of user activity:

• Parse MRUList from NTUSER.dat using RegRipper: poker.jpg is listed but is not the most recently opened jpg. We can only infer that it has been opened/saved since Fri Feb 14 19:04:26 2020
• Poker.lnk has a last modified time of 18/02/2020 21:25:36
• Edge History also shows file:///C:/Users/Warren/Pictures/poker.jpg was accessed at 18/02/2020 21:25:36. Edge history from the RAM capture also gives the same.

Therefore, the file was last viewed at 02/18/2020 21:25:36

What is the name of the movie written in the text file within a PNG? Godzilla
I identified the png of interest by filtering for png files within Warren’s user area. Excluding very small files, icons, images within software packages etc which ultimately lead to prioritising: “DFA_Windows.E01 - Partition 1 (Microsoft NTFS, 60 GB)\Users\Warren\Documents\Cats\really hang in there.png” because it was the best candidate left within folders where we typically see user-generated content. 

Open the file using OpenStego and leave the password blank:



Name the bug check code in the most recent Windows crash (Blue Screen) 0x0000000a

View system.evtx log in Windows built-in Event Viewer. The most recent error is noted on 20/04/2020 23:44:40 (Source = BugCheck, Event ID =1001):

“The computer has rebooted from a bugcheck.  The bugcheck was: 0x0000000a (0x0000000000000000, 0x0000000000000002, 0x0000000000000001, 0xfffff80002a3aa5e). A dump was saved in: C:\Windows\MEMORY.DMP. Report Id: 042020-7222-01.”

What is the GUID for the application that was last used to access C:\Users\Warren\Documents?

From NTUSER.dat: Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU: 

•  Folder accessed: C:\Users\Warren\Documents
•  Application Name: {4ED5B83C-7A8C-4917-B107-E9FF0864EDFB}

How many total seconds did the user spend on the page when they searched for quick online poker? format: x.xxx
Locate Google search of interest and parse URL with unfurl (https://dfir.blog/unfurl/): 6.294 seconds

 

------------------------------------Memory------------------------------------

Which memory profile fits best?
I used the volatility executable that comes with AXIOM to run:
volatility.exe -f memdump.mem imageinfo

Suggested Profile(s) : Win7SP1x64, Win7SP0x64, Win2008R2SP0x64, Win2008R2SP1x64_24000, Win2008R2SP1x64_23418, Win2008R2SP1x64, Win7SP1x64_24000, Win7SP1x64_23418

What is the LM hash of user's account?
Extract registry hives:

volatility.exe -f memdump.mem hivelist --profile=Win7SP1x64

The output provides the virtual offsets:

• SYSTEM = 0xfffff8a000024010
• SAM = 0xfffff8a000301010

Dump out the hashes: 

volatility.exe -f memdump.mem --profile=Win7SP1x64 hashdump - y 0xfffff8a000024010 -s 0xfffff8a000301010 > hashes.txt

The following output is returned which includes the LM hash for Warren:

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: 

Warren:1000:aad3b435b51404eeaad3b435b51404ee:2aa81fb8c8cdfd8f420f7f94615036b0:::

What is Warren's Ignition Casino password? (Case Sensitive!!!!)
Browser history on the Windows machine indicates that “Forgot your password” on the ignition casino site was last visited at 18/02/2020 07:18:55. If the user went through with this there may be a relevant email in memory.

To look for this I ran bulk extractor on the memory dump, viewed the email.txt output and searched for “ignition”. Results included:

3189326580warrenhamiltonfinance@gmail.com.ignitioncasino warrenhamiltonfinance@gmail.com WHbigboy123 - h

It seems like Warren may have let his addictions slip into his work life... Find the program in question, recover it from memory, and give the SHA1 hash.

If we find the PID of the process of interest we could use procdump to pull the exe out but no processes of interest are noted when using Volatility to scan for processes (pslist/psscan/psxview). Instead we can perform a filescan to find the file of interest and it’s offest: 

Use –Q argument with dumpfiles to pull the file from this offset:

Hash the file returned:

 
SHA1= 3b7ca3bb8d4fb2b6c287d6a247efd7c457937a3e

When was IgnitionCasino.exe compiled? YYYY-MM-DD HH:MM:SS
Drop the exe extracted in the previous question into pestudio and view the file header information: 2020-02-12 12:01:35

 

------------------------------------The ones I haven't solved yet------------------------------------

What is the Tag ID of the scanned NFC tag?

•  377EE22E104347
•  AD2A7A3E3C63F7
•  96C8E50757329E
•  E5DB5FE6A6984D
•  041146220F5E80
•  2D52E5017D690E
•  64DCD00FD51BFB
•  64DCD00FD51B03
•  925F65AC9786B6

There are a couple of NFC related apps. Within private\var\mobile\Containers\Data\Application:

• 09DFF3D4-FA84-46A6-8966-64B546682F17 = net.limneos.nfcwriter 
• 18C467CB-139A-46B4-AF72-280E69824A40 = NFCWriter.43348af6.unsigned
  

The latter contains "LastScanLog.txt" which appears to be transmit (Tx) and recieve (Rx) data:

Converting the hex gives something I don't recognise, apart from being able to see "PAY.SYS"

Based on some Googling about NFC protocols it seems like it uses NDEF (NFC Data Exchange Format). I found a python library which parses this format. I installed it and checked that it worked using the hex from the documentation example.

But once I try to put in any of the hex from"LastScanLog.txt" I get errors:

I considered that networking tools like Wireshark maybe able to parse this data and sure enough there is some NFC sample data on the Wireshark website. Apart from the .cap metadata this has some similarities with the log data:

But I don't have any network forensics or wireshark experience so I haven't been able to work out how to convert the txt file into a format suitable for Wireshark, if thats possible. All my searching in this area leads back to hex dumps but I don't think the log file matches the hex dump format shown here in the Wireshark documentation:

I feel pretty confident that the answer is in this log file but just in case it's a sneaky decoy I had a look in other places. The tag ID might be visible in a screen capture while the app was open so I looked on Google images for screenshots of NFCWriter for iPhone and fed them into AXIOM's similar image seach.

The search brought back lots of screenshots but unfortunately nothing relevant to the NFC question.

I had a look through the iLEAPP and APOLLO output for references to the NFC apps.

• I didn't see anything relevant in iLEAPP
• APOLLO parsed some info about when net.limneos.nfcwriter was used/in focus but I didn't see anything about tag IDs

I considered that if the NFC item scanned had been a payment card or passit might appear in Wallet information. There is a good Elcomsoft blog about this here.

• Card info should be in: private/var/mobile/Library/Passes/<cardID>/pass.json
• Transaction info should be in: private/var/mobile/Library/Passes/passes23.sqlite

Interestingly, there was a table called "nfc" in "passes23.sqlite" but it was empty:

The only card details I found in passes23.sqlite/pass.json files were airline boarding passes and an Apple payment entry. (Side note: who designed this database and what is up with these table names??)

This SANS poster has matches for "iphone", "forensics" and "NFC" but unfortuanately it's only mentioned in the Android section:

But it prompted me to think about where iOS might store this type of data independant of any third party apps. Here is the equivalent section for iOS:

I had a quick look through these files yesterday but didn't see anything about NFC. Perhaps a more detailed look would turn something up when I have some more time....

What is the disclaimer in this code? (Chestnut_CV.exe)

I've never done any malware reverse engineering so this has been a case of putting the executable into various tools I've heard about in some of the recent Magnet webinars and hoping to get lucky.

• Extracting strings didn't return anything that looked like a disclaimer (it probably wouldn't be a 75 point question if it did...).
  
• I dropped the exe into PEStudio and clicked through the output but didn't see anything of interest.
• I opened the exe in Ida (free version). I looked through all the output but honestly didn't understand what I was looking at for the majority. Nothing looked like a disclaimer....
  
• I put the hash of the exe into Virus Total (MD5: 4ef0e4a29425220308a5bd431f084f14). There were no matches with anti-virus tools but there was one community report, available here.There was so much information in this report I thought it would hold some clues but either it didn't, or I don't understand enough to recognise them yet!
• I wanted to see if there was anything presented to the user when the software was run so I virtualised Warren's Windows machine and ran Chestnut_CV.exe (I logged in using his Windows password which I found in RAM: warrenhbigboy123). Nothing was presented to the user.
• The last 2 steps directed me towards the temp files that are reated by the malware at C:\Users\<user>\AppData\Local\Temp. I looked through these but didn't see a disclaimer.
• I captured the RAM of the virtualised machine hoping to find something in memory but all I noted was Chestnut_CV.exe. The report I found via Virus Total indicated that the malware is looking for client_secrets.json so perhaps in it's absence it simply doesn't run.
• A file with the name client_secrets.json is noted on the Android device as a Gmail attachment: "MUS_Android.tar\data\data\com.google.android.gm\files\downloads\bb3576b04a35ed9b258a366fc83f8fea\attachments\d_0_0_de3a2ac1_3408051f_4bd0c5f5_39c32cf9_7de57851\client_secrets.json"
• I could copy this file onto Warren's machine to see if it changes the behaviour but I don't know where it needs to be located for the malware to find it....
• Based on this screenshot from the report these python scripts might be a good place to look but I don't know how to extract them from the exe..

Phew! What a busy 2 weeks. I really enjoyed doing all of this and I learned a lot along the way. Many thanks to Magnet for running this event.