Advent of Cyber 2021 — [Day 8] Santa’s Bag of Toys

7 min readDec 8, 2021

“McSkidy was notified of some terrible news! Santa’s laptop, which he uses to prepare his bag of toys for Christmas, is missing! We believe a minion at the Grinch Enterprise stole it, but we need to find out for sure. It is up to us to determine what actor compromised the laptop and recover Santa’s bag of toys!

Unfortunately, The Best Festival Company had minimal monitoring tools on Santa’s laptop (he is the boss, after all)! All we have to work with are some PowerShell Transcription Logs we were able to remotely recover just after it went missing. You can find the transcription logs within the SantasLaptopLogs folder on the Desktop of the attached Windows virtual machine.”

Link to Room: https://tryhackme.com/room/adventofcyber3#

So when you start the virtual machine in the room, it’s supposed to pop out with a special instance that has the log files loaded onto the desktop. Mine was not working, so I ended up connecting via RDP from the TryHackMe Attack Box.

If a keyring prompt comes up, just hit OK. Fill in the IP address of the machine in the room and use the provided credentials:

Username: Administrator

Password: grinch123!

If you’re super lucky like me you will get an error message like this:

To fix this go to the top left of your Remmina instance and click on the + icon. From there you can change the color options. I picked this one:

Then connect again and it should work. Santa’s logs will be sitting there for you to look through:

Question #1: What operating system is Santa’s laptop running (“OS Name”)?

The first thing I did was arrange them by date modified so I could look at them sequentially.

Open up the first one and it should show the OS right after the systeminfo command:

Microsoft Windows 11 Pro

Question #2 What was the password set for the new “backdoor” account?

If you open up the next log and read through you can see someone adding a user called “s4nta”, setting their password, and giving them admin rights.

grinchstolechristmas

Question #3: In one of the transcription logs, the bad actor interacts with the target under the new backdoor user account, and copies a unique file to the Desktop. Before it is copied to the Desktop, what is the full path of the original file?

Read through the third transcript to find this information.

C:\Users\santa\AppData\Local\Microsoft\Windows\UsrClass.dat

Question #4: The actor uses a Living Off The Land binary (LOLbin) to encode this file, and then verifies it succeeded by viewing the output file. What is the name of this LOLbin?

You can find this in the same transcript as above:

certutil.exe

Question #5: Drill down into the folders and see if you can find anything that might indicate how we could better track down what this SantaRat really is. What specific folder name clues us in that this might be publicly accessible software hosted on a code-sharing platform?

I started by opening up the ShellBags utility that is provided on the desktop environment.

Then I copied and pasted the Base64 code from last log into CyberChef. Everything between BEGIN CERTIFICATE and END CERTIFICATE.

Yes, it’s a lot.

If you begin copying and then hold down shift, you can release your mouse button, scroll quickly using the sidebar, and then resume highlighting with your mouse at the top.

Then paste into CyberChef like so, download the data, and save.

Next, choose these options in ShellBags to get started:

Choose the .dat file you just saved and open it:

This is essentially a digital forensic utility that allows you to translate and easily explore Windows Shellbags, which are basically a user’s preferences for window size and small details like that. I’ve never used it before but it reminds me a bit of Autopsy.

Right away you can see a super suspicious folder named SantaRat:

Unlike Autopsy, you can’t go through the contents, you can only see the name and a couple more details. However, here we can see that there is a sub-folder called Github, so the details of this RAT are probably publicly accessible there.

.github

Question #6: Additionally, there is a unique folder named “Bag of Toys” on the Desktop! This must be where Santa prepares his collection of toys, and this is certainly sensitive data that the actor could have compromised. What is the name of the file found in this folder?

You can find this in the same area:

bag_of_toys.zip

Question #7: What is the name of the user that owns the SantaRat repository?

For this question, head to Github and do a search for “SantaRat”

Looks like the owner is “Grinchiest”

Grinchiest

Question #8: Explore the other repositories that this user owns. What is the name of the repository that seems especially pertinent to our investigation?

Here we can see that there is a repository called “operation-bag-of-toys”

operation-bag-of-toys

Question #9: Read the information presented in this repository. It seems as if the actor has, in fact, compromised and tampered with Santa’s bag of toys! You can review the activity in the transcription logs. It looks as if the actor installed a special utility to collect and eventually exfiltrate the bag of toys. What is the name of the executable that installed a unique utility the actor used to collect the bag of toys?

The ReadMe file details the entire plot:

Head back to the transcription logs on your machine, since there are still two we have not been through.

Open up the fourth file and you will see this:

.\uharc-cmd-install.exe

Question #10: Following this, the actor looks to have removed everything from the bag of toys, and added in new things like coal, mold, worms, and more! What are the contents of these “malicious” files (coal, mold, and all the others)?

Open up the very last log. If you look through each of items, you can see that they just contain “GRINCHMAS”.

GRINCHMAS

Question #11: What is the password to the original bag_of_toys.uha archive? (You do not need to perform any password-cracking or bruteforce attempts)

If you head back over to Github, you can see that there are 5 different commits to look through.