BTLO: Suspicious USB Stick Challenge Walkthrough

Hello, blue teamers. In this blog entry, join me as I attempt to conquer the Suspicious USB Stick challenge, hosted on Security Blue Team Labs Online. This is a retired challenge and falls under the Digital Forensics domain. It was pretty fun to investigate!

There’s also a Gitbooks version of the same challenge, written by me. You can go ahead and check it out!

NOTE: Always remember to investigate alerts from BTLO, on a VM.

Premise of Alert

One of our clients informed us they recently suffered an employee data breach. As a startup company, they had a constrained budget allocated for security and employee training. I visited them and spoke with the relevant stakeholders. I also collected some suspicious emails and a USB drive an employee found on their premises. While I am analyzing the suspicious emails, can you check the contents on the USB drive?

Let’s start

Download the USB Image attached with this task. In my opinion, it is better to unzip and extract the files, using GUI mode

Opening the attachment, we get these files:-

Proceed to unzip the file using the passphrase ‘btlo’ and get the USB directory.

Extract it in your Downloads file. Inside this directory, we get:-

Enumeration of evidence

Opening the README.pdf file to view its contents, we see the following text:-

Opening up the autorun.inf file, we can see the following instructions:-

Let’s answer the challenge questions:-

Q)What file is the autorun.inf running?


Analysis of malware sample

Q)Does the pdf file pass Virustotal scan? (No malicious results returned)

Let’s submit this file for analysis on VirusTotal.The following report is received, indicating that the file is indeed malicious


Magic Numbers anyone?

Q)Does the file have the correct magic number?

To test this, I suggest reading this article. Magic numbers are usually used to indicate and differentiate the formats of files. These numbers are visible on hex editors

From a quick google search, we find that the magic number of a PDF file is- (hex 25 50 44 46 )

Going to our CLI and testing out the following command

Command — xxd README.pdf | head

From the first line of the output, it is evident that the PDF file is not disguised in any way


Q)What OS type can the file exploit? (Linux, MacOS, Windows, etc)

To understand the payload executed by any malicious file, it’s wise to see the actions taken by it. It is viewable from the ‘Behaviour’ section for this file, on VirusTotal

It is evident that the payload targets Windows systems and spawns Windows processes


Q)A Windows executable is mentioned in the pdf file, what is it?

To extract strings from this malicious PDF, I prefer uploading it to Hybrid-Analysis and then filtering it out by .exe.Two hits are received


Hunting down Suspicious elements

Q)How many suspicious /OpenAction elements does the file have?

Executable files are always flagged by antivirus tools and are increasingly treated as suspicious and untrusted by default. PDF files are instead treated with less suspicion and attackers often use them to trick targets into running malicious code, to obtain an initial foothold into their machines.

Code obfuscation and other techniques are used in malicious PDF files to bypass antiviruses. Therefore, in case of suspicion, it is useful to check the file manually.

Luckily for us, PDFs can identify suspicious elements, which we can identify by using is a CLI tool, that can pull out the information we want. Download it

Syntax — python3 <file.pdf>

Running the script against the PDF file and skimming along with the results, we find that 1 suspicious action was found



It is good to experiment and practice analysis with malware, especially when you finally get exposed to one in a SOC environment. These small tasks are sure to help me in the future

Thank you for reading this blog entry. Stay tuned, as I go hunting some pcap files out there….



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store