MrRobot Lab

CyberDefenders Endpoint Forensics Lab

Scenario

An employee reported that his machine started to act strangely after receiving a suspicious email for a security update. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. Analyze the dumps and help the SOC analysts team figure out what happened!

Question 1

Machine:Target1 What email address tricked the front desk employee into installing a security update?

Answer 1

Despite the tools listed stating that you can use Volatility3, that doesn’t seem to be the case. I couldn’t find a good answer as to why, I think I need to make another profile in order to detect the kernel version. So I will be using Volatility2 for this lab.

First I need to run the imageinfo command to find out what profile I need to be using:

└─$ python2 vol.py -f dump/target1.vmss imageinfo 
INFO    : volatility.debug    : Determining profile based on KDBG search...
          Suggested Profile(s) : Win7SP1x86_23418, Win7SP0x86, Win7SP1x86_24000, Win7SP1x86
                     AS Layer1 : IA32PagedMemoryPae (Kernel AS)
                     AS Layer2 : VMWareAddressSpace (Unnamed AS)
                     AS Layer3 : FileAddressSpace (/home/zero/Documents/volatility2/dump/target1.vmss)
                      PAE type : PAE
                           DTB : 0x185000L
                          KDBG : 0x82765be8L
          Number of Processors : 2
     Image Type (Service Pack) : 0
                KPCR for CPU 0 : 0x82766c00L
                KPCR for CPU 1 : 0x807c5000L
             KUSER_SHARED_DATA : 0xffdf0000L
           Image date and time : 2015-10-09 12:53:02 UTC+0000
     Image local date and time : 2015-10-09 08:53:02 -0400

Using one of the suggested profiles, I then looked for any email clients that are running on the system.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 pslist
Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                          Exit                          
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x85d0d030 iexplore.exe           2996   2984      6      463      1      0 2015-10-09 11:31:27 UTC+0000                                 
0x85cd3d40 OUTLOOK.EXE            3196   2116     22     1678      1      0 2015-10-09 11:31:32 UTC+0000                                 
0x85d01510 svchost.exe            3232    528      9      131      0      0 2015-10-09 11:31:34 UTC+0000

I next dumps the files that are associated with OUTLOOK.exe.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles -p 3196 --dump-dir dump/files

There was one file that was pulled that caught my interest:

0x83e61be0   3196   \Device\HarddiskVolume2\Users\frontdesk\AppData\Local\Microsoft\Outlook\Frontdesk@allsafecybersec.com - outlook2.ost

This gave me the email address of the person that received the malicious email, along with a file that might contain data pertaining to the sender. Sadly this didn’t work out, so next I tried using memdump to gather the process memory at time of capture. Then after which I used strings to grab any potential email address.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 memdump -p 3196 --dump-dir dump/files
Writing OUTLOOK.EXE [  3196] to 3196.dmp

Strings:

┌──(zero㉿kali)-[~/Documents/volatility2/dump/files]
└─$ strings 3196.dmp | grep @outlook
                                                                                                             
┌──(zero㉿kali)-[~/Documents/volatility2/dump/files]
└─$ strings 3196.dmp | grep @hotmail
                                                                                                             
┌──(zero㉿kali)-[~/Documents/volatility2/dump/files]
└─$ strings 3196.dmp | grep @gmail  
From: The Whit3R0s3 <th3wh1t3r0s3@gmail.com>
Return-Path: th3wh1t3r0s3@gmail.com

Question 2

Machine:Target1 What is the filename that was delivered in the email?

Answer 2

Hedging a bet that the file is more than likely an .exe file, I used strings once again on the dmp file.

$ strings 3196.dmp | grep .exe
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><div dir="ltr">Hello Mr. Wellick,<div><br></div><div>In order to provide the best service, in the most secure manner, AllSafe has recently updated our remote VPN software. Please download the update from the link below.</div><div><br></div><div><a href="http://180.76.254.120/AnyConnectInstaller.exe">http://180.76.254.120/AnyConnectInstaller.exe</a></div><div><br></div><div>If you have any questions please don't hesitate to contact IT support.</div><div><br></div><div>Thanks and have a great day!</div><div>AllSafe IT Support Desk</div></div>

Finding the above in the first couple of lines. An .exe file.

Question 3

Machine:Target1 What is the name of the rat’s family used by the attacker?

Answer 3

Now knowing what the .exe file is called I need to dump the file and upload it to VirusTotal. First of all I need to find the memory address:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep AnyConnectInstaller.exe              
Volatility Foundation Volatility Framework 2.6.1
0x000000003df12dd0      2      0 RW-rwd \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
0x000000003df1cf00      4      0 R--r-d \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
0x000000003e0bc5e0      7      0 R--r-d \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
0x000000003e2559b0      8      0 R--rwd \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
0x000000003e2ae8e0      8      0 RWD--- \Device\HarddiskVolume2\Users\anyconnect\AnyConnect\AnyConnectInstaller.exe
0x000000003ed57968      4      0 R--r-d \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe

There are quite a few different options here. But the one in the downloads is truly what I am looking for, in other words the source file. There are however 3 of them, I just dumped each one to find a .dat file.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles --dump-dir dump/files -Q 0x000000003e0bc5e0
ImageSectionObject 0x3e0bc5e0   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
DataSectionObject 0x3e0bc5e0   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles --dump-dir dump/files -Q 0x000000003ed57968
ImageSectionObject 0x3ed57968   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe
DataSectionObject 0x3ed57968   None   \Device\HarddiskVolume2\Users\frontdesk\Downloads\AnyConnectInstaller.exe

Both of the above addresses worked. Giving me the .dat file which contains the data of the malware, which I can then upload to VirusTotal.

A small note, sometimes the answers to the questions regarding malware families can be a little miss leading. Since there are a TON of different names that are listed in VirusTotal. For example, this malware goes by the names:

Xtrat
Seint
Bifrose
RATX
Buzus
Lydra
xtreme
trojan.dump/msil

None of which are the answer, however knowing its a rat, xtrat and ratx are closest to what I need. In this case the answer is: XTREMERAT. Needless to say, I do not like these types of questions since the answer can be many different things depending on when you carry out the lab. For example, looking over 2 of the guides that are linked on the labs page have the answer given out by an anti virus vendor Webroot.

Question 4

Machine:Target1 The malware appears to be leveraging process injection. What is the PID of the process that is injected?

Answer 4

I needed a little nudge in the right direction for this one, plus I learnt a new malware technique in the process. Process hollowing. I had to get a new plugin for Volatility for this, which can be found here, I then tried to find any suspicious process hollowing attempts within the system.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 hollowfind
Hollowed Process Information:
        Process: wininit.exe PID: 420
        Parent Process: NA PPID: 360
        Creation Time: 2015-10-09 11:30:48 UTC+0000
        Process Base Name(PEB): wininit.exe
        Command Line(PEB): wininit.exe
        Hollow Type: No VAD Entry For Process Executable

VAD and PEB Comparison:
        Base Address(VAD): 0x0
        Process Path(VAD): NA
        Vad Protection: NA
        Vad Tag: NA

        Base Address(PEB): 0xcf0000
        Process Path(PEB): C:\Windows\system32\wininit.exe
        Memory Protection: PAGE_EXECUTE_WRITECOPY
        Memory Tag: Vad 

        No Hexdump: Memory Unreadable at 0x00cf0000

Similar Processes:
        wininit.exe(420) Parent:NA(360) Start:2015-10-09 11:30:48 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

Hollowed Process Information:
        Process: iexplore.exe PID: 2996
        Parent Process: NA PPID: 2984
        Creation Time: 2015-10-09 11:31:27 UTC+0000
        Process Base Name(PEB): iexplore.exe
        Command Line(PEB): "C:\Program Files\Internet Explorer\iexplore.exe"
        Hollow Type: Process Base Address and Memory Protection Discrepancy

VAD and PEB Comparison:
        Base Address(VAD): 0x12d0000
        Process Path(VAD): \Program Files\Internet Explorer\iexplore.exe
        Vad Protection: PAGE_EXECUTE_WRITECOPY
        Vad Tag: Vad 

        Base Address(PEB): 0x13400000
        Process Path(PEB): C:\Program Files\Internet Explorer\iexplore.exe
        Memory Protection: PAGE_READWRITE
        Memory Tag: VadS

0x13400000  4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00   MZP.............
0x13400010  b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00   ........@.......
0x13400020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x13400030  00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00   ................

Similar Processes:
        iexplore.exe(2996) Parent:NA(2984) Start:2015-10-09 11:31:27 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

Hollowed Process Information:
        Process: smss.exe PID: 276
        Parent Process: System PPID: 4
        Creation Time: 2015-10-09 11:30:44 UTC+0000
        Process Base Name(PEB): smss.exe
        Command Line(PEB): \SystemRoot\System32\smss.exe
        Hollow Type: No VAD Entry For Process Executable

VAD and PEB Comparison:
        Base Address(VAD): 0x0
        Process Path(VAD): NA
        Vad Protection: NA
        Vad Tag: NA

        Base Address(PEB): 0x48010000
        Process Path(PEB): \SystemRoot\System32\smss.exe
        Memory Protection: PAGE_EXECUTE_WRITECOPY
        Memory Tag: Vad 

        No Hexdump: Memory Unreadable at 0x48010000

Similar Processes:
        smss.exe(276) Parent:System(4) Start:2015-10-09 11:30:44 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

Hollowed Process Information:
        Process: msdtc.exe PID: 1980
        Parent Process: services.exe PPID: 528
        Creation Time: 2015-10-09 11:30:55 UTC+0000
        Process Base Name(PEB): msdtc.exe
        Command Line(PEB): C:\Windows\System32\msdtc.exe
        Hollow Type: No VAD Entry For Process Executable

VAD and PEB Comparison:
        Base Address(VAD): 0x0
        Process Path(VAD): NA
        Vad Protection: NA
        Vad Tag: NA

        Base Address(PEB): 0xb40000
        Process Path(PEB): C:\Windows\System32\msdtc.exe
        Memory Protection: PAGE_EXECUTE_WRITECOPY
        Memory Tag: Vad 

        No Hexdump: Memory Unreadable at 0x00b40000

Similar Processes:
        msdtc.exe(1980) Parent:services.exe(528) Start:2015-10-09 11:30:55 UTC+0000

Suspicious Memory Regions:
        0x771c0000(No PE/Possibly Code)  Protection: PAGE_EXECUTE_WRITECOPY  Tag: Vad 
---------------------------------------------------

There is one result in the list here that stands out from the rest. iexplore.exe, which is the Internet Explorer executable. The output notes: process base address and memory protection discrepancy, which after reading this article signaled to me I was on the right track.

Giving me the answer: PID 2996.

Question 5

Machine:Target1 What is the unique value the malware is using to maintain persistence after reboot?

Answer 5

When looking into malware maintaining persistence my first thought it looking into the registry keys. Going back to the VirusTotal results I can see that the malware sets the value MrRobot to be used on startup/reboot.

Question 6

Machine:Target1 Malware often uses a unique value or name to ensure that only one copy runs on the system. What is the unique name the malware is using?

Answer 6

Here I was looking for any type of mutated file name, one that would be different from the injected process from the previous question. There is a section on VirusTotal for this and it showed the following:

Instantly, fsociety0.dat stood out. There is another way of doing this, using Volatility. Using handles:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 handles -p 2996 | grep Mutant
Volatility Foundation Volatility Framework 2.6.1
0x85c80238   2996       0x18   0x1f0001 Mutant           
0x8560f0c0   2996       0xa4   0x100000 Mutant           RasPbFile
0x85d1be20   2996       0xe4   0x1f0001 Mutant           
0x85d1bd90   2996       0xec   0x1f0001 Mutant           
0x85d11500   2996      0x118   0x1f0001 Mutant           
0x85d118d0   2996      0x124   0x1f0001 Mutant           
0x85d1b0f0   2996      0x14c   0x1f0001 Mutant           
0x85d11700   2996      0x150   0x1f0001 Mutant           fsociety0.dat
0x85c76b80   2996      0x36c   0x1f0001 Mutant           ZonesCounterMutex
0x85c73da8   2996      0x3ac   0x1f0001 Mutant           ZoneAttributeCacheCounterMutex
0x85c81270   2996      0x3b4   0x1f0001 Mutant           ZonesCacheCounterMutex
0x85c73da8   2996      0x3b8   0x1f0001 Mutant           ZoneAttributeCacheCounterMutex
0x85928fe0   2996      0x3bc   0x1f0001 Mutant           ZonesLockedCacheCounterMutex
0x83e99318   2996      0x588   0x1f0001 Mutant           
0x83fc4450   2996      0x5b4   0x1f0001 Mutant           TeamViewerHooks_LogBuffer
0x84016860   2996      0x5b8   0x1f0001 Mutant           TeamViewerHooks_Mutex4
0x84009200   2996      0x5bc   0x1f0001 Mutant           TeamViewerHooks_Mutex1
0x8402ca90   2996      0x5c4   0x1f0001 Mutant           TeamViewerHooks_Mutex5
0x84015b98   2996      0x5d4   0x1f0001 Mutant           TeamViewerHooks_DynamicMemMutex
0x84015b38   2996      0x5d8   0x1f0001 Mutant           TeamViewerHooks_DirectXBufferMutex

Question 7

Machine:Target1 It appears that a notorious hacker compromised this box before our current attackers. Name the movie he or she is from.

Answer 7

The easiest way I have found when looking for usernames in a system image, is using the following command:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep User

Using grep to only grab entries with User in them, means that you are likely to uncover file structures for each user on the system.

\Device\HarddiskVolume2\Users\zerocool\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini

Question 8

Machine:Target1 What is the NTLM password hash for the administrator account?

Answer 8

This one took quite a bit of doing. I had never installed the Crypto.hash plugin for Volatility before. But after smashing my head against my desk for 20 mins, I found THIS to be the solution to getting it working.

Now on with the question at hand. Using the hashdump plugin, I got the following output:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 hashdump 
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:79402b7671c317877b8b954b3311fa82:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
front-desk:1000:aad3b435b51404eeaad3b435b51404ee:2ae4c526659523d58350e4d70107fc11:::

Question 9

Machine:Target1 The attackers appear to have moved over some tools to the compromised front desk host. How many tools did the attacker move?

Answer 9

Checking the Windows Temp folder location is always a good start:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep '\\Windows\\Temp\\'
Volatility Foundation Volatility Framework 2.6.1
0x000000003df31038      8      0 R--r-- \Device\HarddiskVolume2\Windows\Temp\wce.exe
0x000000003e1eee10      7      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\getlsasrvaddr.exe
0x000000003e25eca8      5      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\wce.exe
0x000000003eca37f8      8      0 -W-r-- \Device\HarddiskVolume2\Windows\Temp\w.tmp
0x000000003fa633f0      1      0 R--rw- \Device\HarddiskVolume2\Windows\Temp\Rar.exe
0x000000003fc3fb80      6      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\nbtscan.exe
0x000000003fc5af80      7      0 R--r-d \Device\HarddiskVolume2\Windows\Temp\Rar.exe
0x000000003fcaa598      8      0 -W-rw- \Device\HarddiskVolume2\Windows\Temp\MpCmdRun.log
0x000000003fdb7808      8      0 -W-r-- \Device\HarddiskVolume2\Windows\Temp\nbs.txt
0x000000003fdd4ca0      7      0 R--r-- \Device\HarddiskVolume2\Windows\Temp\nbtscan.exe

A few .exe files here. After looking up each of them individually, I narrowed it down to the following:

wce.exe
getlsasrvaddr.exe
nbtscan.exe
Rar.exe

wce.exe, is a windows credential editor which can add, change, list and delete associated credentials. Suspicious.

getlsasrvaddr.exe, is bundled with wce.exe, that automatiaclly obtains needed addresses for wce.exe. Suspicious.

nbtscan.exe is a NETBIOS nameserver scanner for local or remote TCP/IP connections. Suspicious.

Rar.exe, I am not sure. A little research maybe hinted at WinRar? The answer in the end was 3. So it either counted Rar.exe, or didn’t and had getlsasrvaddr.exe as a separate program. Pretty sure its the latter.

Question 10

Machine:Target1 What is the password for the front desk local administrator account?

Answer 10

First of all I need to grab the password hashes once again.

└─$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 hashdump 
Volatility Foundation Volatility Framework 2.6.1
Administrator:500:aad3b435b51404eeaad3b435b51404ee:79402b7671c317877b8b954b3311fa82:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
front-desk:1000:aad3b435b51404eeaad3b435b51404ee:2ae4c526659523d58350e4d70107fc11:::

Then using a simple online tool I am able to grab the password:

Question 11

Machine:Target1 What is the std create data timestamp for the nbtscan.exe tool?

Answer 11

First I tried dumping the files and uploading them to VirusTotal to get a timestamp, which is normally quite reliable. It was created back in 2008, but this turned out not to be the answer.

So next I tried the timeliner plugin to see if it appears there. I made a note about this, but make sure you are piping in grep to grab specific results.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 timeliner | grep nbtscan
Volatility Foundation Volatility Framework 2.6.1
2015-10-09 10:45:12 UTC+0000|[SHIMCACHE]| \??\C:\Windows\Temp\nbtscan.exe|

The question meant what time it was created on the system. Not when the file was first created.

Question 12

Machine:Target1 The attackers appear to have stored the output from the nbtscan.exe tool in a text file on a disk called nbs.txt. What is the IP address of the first machine in that file?

Answer 12

A pretty simple task, first make sure the file exists and grab its memory location, then dump the file.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 filescan | grep nbs.txt    
Volatility Foundation Volatility Framework 2.6.1
0x000000003fdb7808      8      0 -W-r-- \Device\HarddiskVolume2\Windows\Temp\nbs.txt

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 dumpfiles --dump-dir dump/files -Q 0x000000003fdb7808
Volatility Foundation Volatility Framework 2.6.1
DataSectionObject 0x3fdb7808   None   \Device\HarddiskVolume2\Windows\Temp\nbs.txt

Once I had the .dat file, I copied the contents and threw it into CyberChef and used the From Hex function to get a human readable output.

Question 13

Machine:Target1 What is the full IP address and the port was the attacker’s malware using?

Answer 13

Knowing the malicious PID for iexplore.exe was 2996. A simple netscan told me all I needed to know:

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 netscan | grep 2996
Volatility Foundation Volatility Framework 2.6.1
0x3e0eedf8         TCPv4    10.1.1.20:49205                180.76.254.120:22    ESTABLISHED      2996     iexplore.exe

Question 14

Machine:Target1 It appears the attacker also installed legit remote administration software. What is the name of the running process?

Answer 14

I had seen this name crop up a few times during different questions, but using pstree I was able to find its PID and other information about it.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 pstree | grep TeamViewer 
Volatility Foundation Volatility Framework 2.6.1
 0x84013598:TeamViewer.exe                           2680   1696     28    632 2015-10-09 12:08:46 UTC+0000
. 0x858bc278:TeamViewer_Des                          1092   2680     16    405 2015-10-09 12:10:56 UTC+0000

Question 15

Machine:Target1 It appears the attackers also used a built-in remote access method. What IP address did they connect to?

Answer 15

I know of a couple remote access methods that are built into Windows, one of which is Remote Desktop Connection, (RDP). An .exe file it uses is mstsc.exe, which shows up in the netscan results.

$ python2 vol.py -f dump/target1.vmss --profile=Win7SP1x86_23418 netscan | grep mstsc
Volatility Foundation Volatility Framework 2.6.1
0x3fb7a560         TCPv4    10.1.1.20:49301                10.1.1.21:3389       ESTABLISHED      2844     mstsc.exe

Question 16

Machine:Target2 It appears the attacker moved latterly from the front desk machine to the security admins (Gideon) machine and dumped the passwords. What is Gideon’s password?

Answer 16

So I had to reread this question, this isn’t the passwords that I have gotten in the past from using hashdump, this is the attackers dumping them into a file somewhere.

I tried cmdscan and the following output caught my interest:

Cmd #0 at 0xe6030: cd C:\Users
Cmd #1 at 0xe6ea8: dir
Cmd #2 at 0xee3d0: wce.exe -w > gideon/w.tmp

Knowing wce.exe was used to grab passwords and such this was obviously the attacker placing its dumped results into a file called w.tmp. So next I used filescan to grab the memory location and extract the file.

Question 17

Machine:Target2 Once the attacker gained access to “Gideon,” they pivoted to the AllSafeCyberSec domain controller to steal files. It appears they were successful. What password did they use?

Answer 17

I had the answer to this one looking at me in the face, however I was unfamiliar with WinRar’s switches and commands.

$ python2 vol.py -f dump/target2.vmss --profile=Win7SP1x86_23418 consoles

CommandHistory: 0xe9198 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 18 LastAdded: 17 LastDisplayed: 17
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x60
Cmd #0 at 0xe6030: cd C:\Users
Cmd #1 at 0xe6ea8: dir
Cmd #2 at 0xee3d0: wce.exe -w > gideon/w.tmp
Cmd #3 at 0xe0170: who ami
Cmd #4 at 0xe0188: whoami
Cmd #5 at 0xea3c8: net use z: \\10.1.1.2\c$
Cmd #6 at 0xe01b8: cd z:
Cmd #7 at 0xe6ed8: dir
Cmd #8 at 0xe6070: cd gideon
Cmd #9 at 0xe6ef8: dir
Cmd #10 at 0xe6f08: z:
Cmd #11 at 0xe6f18: dir
Cmd #12 at 0xf2418: copy c:\users\gideon\rar.exe z:\crownjewels
Cmd #13 at 0xe0cb8: cd crownjewels
Cmd #14 at 0xe6f28: dir
Cmd #15 at 0xe6f38: rar
Cmd #16 at 0xf2478: rar crownjewlez.rar *.txt -hp123qwe!@#
Cmd #17 at 0xf24d0: rar a -hp123!@#qwe crownjewlez.rar *.txt

So the above is the output from the consoles command, minus the unwanted stuff. Cmd line 16 creates the rar archive and sets the password.

Question 18

Machine:Target2 What was the name of the RAR file created by the attackers?

Answer 18

The code in the previous question lays out the answer for this one.

Question 19

Machine:Target2 How many files did the attacker add to the RAR archive?

Answer 19

This was a tough question. Knowing they used a wildcard to add all text files to the rar file wasn’t enough. Using memdump I got the memory from cmd.exe, the using the linux strings ultility I turned the .dmp file into a .txt. This however didn’t give me anything usable, it turns out you need some encoding when using strings. I used the following:

$ strings -el 3048.dmp > 3048.txt 

$ cat 3048.txt | grep '\\crownjewels\\'| grep ".txt"
\crownjewels\SecretSauce2.txt
\crownjewels\SecretSauce1.txt
\crownjewels\SecretSauce3.txt

Giving me the answer I was looking for.

Question 20

Machine:Target2 The attacker appears to have created a scheduled task on Gideon’s machine. What is the name of the file associated with the scheduled task?

Answer 20

My first port of call was to check the /Tasks/ folder in the Windows directory. While the output was quite large, there was one file that stood out to me, At1.job. After a quick search online, I found that it had its own MITRE ATT&CK ID, that talks about scheduled tasks. So I decided to dump the file and use CyberChef to decode the output for anything of interest.

Instantly c:\users\gidon\1.ba stood out to me. The text seems to be cut off, so I found the files location:

$ python2 vol.py -f dump/target2.vmss --profile=Win7SP1x86_23418 filescan | grep '\\gideon\\'
Volatility Foundation Volatility Framework 2.6.1
0x000000003e027038      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Pictures\desktop.ini
0x000000003e1267a0      8      0 RWD--- \Device\HarddiskVolume2\Users\gideon\Rar.exe
0x000000003ec3d8e0      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Links\desktop.ini
0x000000003f427e50      8      0 RWD--- \Device\HarddiskVolume2\Users\gideon\1.bat
0x000000003fa57d98      8      0 RWD--- \Device\HarddiskVolume2\Users\gideon\wce.exe
0x000000003fb36be8      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Saved Games\desktop.ini
0x000000003fb5fda0      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Desktop\desktop.ini
0x000000003fb6ff80      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Documents\desktop.ini
0x000000003fb7bc38      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Contacts\desktop.ini
0x000000003fb906e0      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Music\desktop.ini
0x000000003fcaff50      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Favorites\desktop.ini
0x000000003fcf2798      8      0 -W-r-- \Device\HarddiskVolume2\Users\gideon\w.tmp
0x000000003fd05968      5      0 R--r-d \Device\HarddiskVolume2\Users\gideon\wce.exe
0x000000003fdba758      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Searches\desktop.ini
0x000000003fdbed38      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Videos\desktop.ini
0x000000003fdd4178      8      0 R--rwd \Device\HarddiskVolume2\Users\gideon\Downloads\desktop.ini

It’s real name was 1.bat, which made more sense. Then after dump that I could see it was the file I was looking for.

Question 21

Machine:POS What is the malware CNC’s server?

Answer 21

Knowing I am looking for any connections to do with iexplore.exe, a simple netscan gave me this:

$ python2 vol.py -f dump/pos.vmss --profile=Win7SP1x86_23418 netscan
0x3e135df8         TCPv4    10.1.1.10:58751                54.84.237.92:80      CLOSE_WAIT       3208     iexplore.exe

Question 22

Machine:POS What is the common name of the malware used to infect the POS system?

Answer 22

So for this I know I needed to dump the iexplore.exe file from before. I used Malfind to get the PID and then dumped it via Malfind.

$ python2 vol.py -f dump/pos.vmss --profile=Win7SP1x86_23418 malfind -p 3208 -D dump/files
Volatility Foundation Volatility Framework 2.6.1
Process: iexplore.exe Pid: 3208 Address: 0x50000
Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Flags: CommitCharge: 11, MemCommit: 1, PrivateMemory: 1, Protection: 6

0x0000000000050000  4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00   MZ..............
0x0000000000050010  b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00   ........@.......
0x0000000000050020  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0x0000000000050030  00 00 00 00 00 00 00 00 00 00 00 00 d8 00 00 00   ................

0x0000000000050000 4d               DEC EBP
0x0000000000050001 5a               POP EDX
0x0000000000050002 90               NOP
0x0000000000050003 0003             ADD [EBX], AL
0x0000000000050005 0000             ADD [EAX], AL
0x0000000000050007 000400           ADD [EAX+EAX], AL
0x000000000005000a 0000             ADD [EAX], AL
0x000000000005000c ff               DB 0xff
0x000000000005000d ff00             INC DWORD [EAX]
0x000000000005000f 00b800000000     ADD [EAX+0x0], BH
0x0000000000050015 0000             ADD [EAX], AL
0x0000000000050017 004000           ADD [EAX+0x0], AL
0x000000000005001a 0000             ADD [EAX], AL
0x000000000005001c 0000             ADD [EAX], AL
0x000000000005001e 0000             ADD [EAX], AL
0x0000000000050020 0000             ADD [EAX], AL
0x0000000000050022 0000             ADD [EAX], AL
0x0000000000050024 0000             ADD [EAX], AL
0x0000000000050026 0000             ADD [EAX], AL
0x0000000000050028 0000             ADD [EAX], AL
0x000000000005002a 0000             ADD [EAX], AL
0x000000000005002c 0000             ADD [EAX], AL
0x000000000005002e 0000             ADD [EAX], AL
0x0000000000050030 0000             ADD [EAX], AL
0x0000000000050032 0000             ADD [EAX], AL
0x0000000000050034 0000             ADD [EAX], AL
0x0000000000050036 0000             ADD [EAX], AL
0x0000000000050038 0000             ADD [EAX], AL
0x000000000005003a 0000             ADD [EAX], AL
0x000000000005003c d800             FADD DWORD [EAX]
0x000000000005003e 0000             ADD [EAX], AL

Then I uploaded it to VirusTotal.

Question 23

Machine:POS In the POS malware whitelist. What application was specific to Allsafecybersec?

Answer 23

So after a little research, this was something that had never crossed my mind. Malware having build in whitelists/blacklists. In order not to disrupt processes on a system to avoid protection and also targeted binaries/files for specific victims. In this case, running strings on the malware gave me the following:

$ strings process.0x83f324d8.0x50000.dmp 
!This program cannot be run in DOS mode.
RichH
.text
.data
.idata
@.rsrc
@.reloc
allsafe_protector.exe
svchost.exe
iexplore.exe
explorer.exe

allsafe_protector.exe.

Question 24

Machine:POS What is the name of the file the malware was initially launched from?

Answer 24

I actually found this answer accidentally before I found the previous one, using strings on the malware for the first time, I used the -el command and it gave me this:

$ strings -el process.0x83f324d8.0x50000.dmp  
s%s\%s
%s\%s\%s.exe
\Internet Explorer\iexplore.exe
jjjjjjjjh
jjjj
jjjj
jjjj
jjjj
jjjh
Digit
.exe
tor.exe
C:\Program Files\Internet Explorer\iexplore.exe
8bc0f102-b56a-4de9-9832-137a2cf08295
C:\Users\pos\AppData\Roaming\kdcpr\kdcpr.exe
C:\Users\pos\Downloads\allsafe_update.exe

allsafe_update.exe in the downloads folder. Which could indicate the initial launch vector. I could have also used the iehistory plugin to find this:

$ python2 vol.py -f dump/pos.vmss --profile=Win7SP1x86_23418 iehistory
Process: 1836 explorer.exe
Cache type "URL " at 0x1db5600
Record length: 0x100
Location: :2015100920151010: pos@http://54.84.237.92/allsafe_update.exe
Last modified: 2015-10-09 08:35:57 UTC+0000
Last accessed: 2015-10-09 12:35:57 UTC+0000
File Offset: 0x100, Data Offset: 0x0, Data Length: 0x0
**************************************************
Process: 1836 explorer.exe
Cache type "DEST" at 0x510182b
Last modified: 2015-10-09 08:35:57 UTC+0000
Last accessed: 2015-10-09 12:35:58 UTC+0000
URL: pos@http://54.84.237.92/allsafe_update.exe
**************************************************
Process: 1836 explorer.exe
Cache type "DEST" at 0x5101b93
Last modified: 2015-10-09 08:35:57 UTC+0000
Last accessed: 2015-10-09 12:35:58 UTC+0000
URL: pos@http://54.84.237.92/allsafe_update.exe

The URLs match up with the C2 servers IP address. Meaning the allsafe_update.exe is the original malware.

This was a tough lab, I needed a couple of nudges in the right direction near the end of the lab. But overall I did learn a few things and it was a rewarding experience!

PreviousLGDroid Lab NextSysinternals Lab

Last updated 3 months ago

hashtagScenario

hashtagQuestion 1

hashtagAnswer 1

hashtagQuestion 2

hashtagAnswer 2

hashtagQuestion 3

hashtagAnswer 3

hashtagQuestion 4

hashtagAnswer 4

hashtagQuestion 5

hashtagAnswer 5

hashtagQuestion 6

hashtagAnswer 6

hashtagQuestion 7

hashtagAnswer 7

hashtagQuestion 8

hashtagAnswer 8

hashtagQuestion 9

hashtagAnswer 9

hashtagQuestion 10

hashtagAnswer 10

hashtagQuestion 11

hashtagAnswer 11

hashtagQuestion 12

hashtagAnswer 12

hashtagQuestion 13

hashtagAnswer 13

hashtagQuestion 14

hashtagAnswer 14

hashtagQuestion 15

hashtagAnswer 15

hashtagQuestion 16

hashtagAnswer 16

hashtagQuestion 17

hashtagAnswer 17

hashtagQuestion 18

hashtagAnswer 18

hashtagQuestion 19

hashtagAnswer 19

hashtagQuestion 20

hashtagAnswer 20

hashtagQuestion 21

hashtagAnswer 21

hashtagQuestion 22

hashtagAnswer 22

hashtagQuestion 23

hashtagAnswer 23

hashtagQuestion 24

hashtagAnswer 24