letsdefend

Remote Access Regret

  • scenerio

Image 1

Image 2

we get raw file

  • extract this using
1
2
3

dd if=intelvol.raw of=output.img bs=512
sudo mkdir /mnt/rar_image
sudo mount -o loop output.img /mnt/rar_image

Image 3

  • local AnyDesk ID

Image 4

  • open this file in db browser

Image 5

  • first website Margaret visited before encountering the scam

  • domain of the initial malicious redirect that led Margaret to the scam page

Image 6

  • Examining the cached HTML file, what phone number was displayed to the victim

Image 7 Image 8

  • AnyDesk ID of the remote machine
  • alias of scammer

Image 9

  • total session duration in seconds
  • convert hourly duration to second 4052 sec
  • first file stolen from Margaret’s Desktop
  • How many bytes total exfiltrated

Image 10

  • total URLs were visited during the browsing session on the day of the incident

Image 11

  • it is 10