Ramnit Lab

CyberDefenders Endpoint Forensics Lab

Scenario

Our intrusion detection system has alerted us to suspicious behavior on a workstation, pointing to a likely malware intrusion. A memory dump of this system has been taken for analysis. Your task is to analyze this dump, trace the malware’s actions, and report key findings.

Question 1

What is the name of the process responsible for the suspicious activity?

Answer 1

Using the following command:

┌──(zero㉿kali)-[~/Documents/volatility3]
└─$ python3 vol.py -f memory.dmp windows.pstree

I extracted the process tree from the .dmp file. Scrolling close to the bottom of the output, I found that ChromeSetup.exe initializes as a child process of explorer.exe. Which is a little odd, you don’t expect, what looks to be an install file, to execute as soon as explorer opens. Coupled with the fact that it also executed from the downloads folder.

Question 2

What is the exact path of the executable for the malicious process?

Answer 2

Using the same output, it showed the file path:

Question 3

Identifying network connections is crucial for understanding the malware’s communication strategy. What IP address did the malware attempt to connect to?

Answer 3

Using the following command:

┌──(zero㉿kali)-[~/Documents/volatility3]
└─$ python3 vol.py -f memory.dmp windows.netscan

I was able to see what inbound and outbound connections there were. After hunting for ChromeSetup.exe, it was clear that an outbound connection to 58.64.204.181 was being made.

Question 4

To determine the specific geographical origin of the attack, Which city is associated with the IP address the malware communicated with?

Answer 4

Using a basic IP geolocation website, it appears that the IP’s origin is Hong Kong.

Question 5

Hashes serve as unique identifiers for files, assisting in the detection of similar threats across different machines. What is the SHA1 hash of the malware executable?

Answer 5

To obtain the hash of the malware, plus other information. First I dumped the .dmp, specifying the PID of said malware.

vol.py -f “/path/to/file” -o “/path/to/dir” windows.dumpfiles ‑‑pid <PID>

Once the files had been dumped, it was a simple search for the .img file of the malware. Then uploading it to VirusTotal gave me the answer!

Question 6

Examining the malware’s development timeline can provide insights into its deployment. What is the compilation timestamp for the malware?

Answer 6

Looking through the details tab within VirusTotal provided me the answer: 2019–12–01 08:36

Question 7

Identifying the domains associated with this malware is crucial for blocking future malicious communications and detecting any ongoing interactions with those domains within our network. Can you provide the domain connected to the malware?

Answer 7

The relations tab in VirusTotal provides all the connected domains that the malware connects back to.

Lab complete!