While specific write-ups depend on the exact platform hosting the challenge, most investigations of this archive involve the following core steps: 1. Initial Triage
: Search the SOFTWARE and SYSTEM hives for persistence mechanisms, such as new "Run" keys or scheduled tasks used by the threat actor. File: Space_Panda_collection.zip ...
: Review Security.evtx for failed logins or System.evtx for service installations that indicate lateral movement. 3. Malware Characteristics While specific write-ups depend on the exact platform
Investigators typically focus on these key areas to trace "Space Panda" activity: Common Flags Typical questions in this write-up include:
: Identifying staged folders where sensitive documents were gathered before being zipped and sent to a remote server. 4. Common Flags Typical questions in this write-up include: What is the full path of the malicious file? What IP address did the attacker use for the C2 server? What was the timestamp of the initial compromise?
: Unzip the archive (often using the password infected or btlo in security contexts) to reveal its contents, which usually include system logs, memory dumps, or disk images. 2. Forensic Artifact Analysis
Challenges involving "Space Panda" often simulate an Advanced Persistent Threat (APT) scenario: