Bonus 2: Truth or Misinformation?

Cyber Blog Analysis

For this scenario, we’d like you to take a look at the blog post below and see if you can find evidence in SecurityLogs2 that supports or disproves the information posted.

[Start Blog Post]


What is UnhelpfulDesk?

UnhelpfulDesk malware implants are dropped by files with names that resemble legitimate IT functions, such as software updates or password resets, or medical research topics, such as vaccine research. These files are delivered to victims via malicious emails containing links to download the files.

UnhelpfulDesk Droppers

Thesis_on_vaccine.exe232568cb9c5d1b3698334c504b173e637826d 79074fb8fa23a54981578eb7dc9
ResearchBibliographyGenerator.pptx6e4a6278077f310e69017dba9a173d9d27 eddec9236231e1717a475c26242ae6
Software_Update.rar2f2e5f20a726e9710b9c5c7c681e66240f854acd 48107e5cd193d6133297b72f
IT_PASSWORD_RESET_TOOL.rarfe04d68b163bbf432196c0d7bb184176a42606 30374c93c916cc6b52fc9855f7

Dropped Implants

updater.dll3666cb55d0c4974bfee855ba43d596fc6d10 baff5eb45ac8b6432a7d604cb8e9
updater.dll42a337bcec26df0130a11baf9e6017999385 1b88f1cabec52973f88774e903fb
updater.dllea05ff75fef906a60545129a7c5bea2956bf de63b8e714eb42db3ae50b99dec3
updater.dll370ce39ba328329ff16b5ede1079f6402e68 abceb34e65cb31883a3b3730b530
updater.dlle3970346ff7fcc3665f027d7f221968087f3 c42705f5799fbc1d2811ab1ca4ea

Note: Samples of the UnhelpfulDesk implant files detected by VulnerableArray researchers are available on VirusTotal.

Once successfully deployed, the UnhelpfulDesk implant executes reconnaissance via the following commands:

 net user Administratr 

Following this, the malware will encrypt files on the machine and demand a ransom to decrypt the files. The ransom note is pulled down from Pastebin as shown below:

curl https://pastebin[.]com/HOW%20TO%20RECOVER%20YOUR%20FILES.txt 

Other Indicators of Compromise (IOCs)


[End Blog Post]

Now it’s up to you…

Our Chief Information Security Officer (CISO) has asked you to evaluate this report from VulnerableArray and determine whether it is accurate using the logs from the SecurityLogs2 database.

🤔 While making your assessment, consider the following questions: