BlackEnergy Lab
CyberDefenders Memory Forensic Lab
Scenario
A multinational corporation has suffered a cyber attack, resulting in the theft of sensitive data. The attack employed a previously unseen variant of the BlackEnergy v2 malware. The company’s security team has obtained a memory dump from the infected machine and is seeking your expertise as a SOC analyst to analyze the dump in order to understand the scope and impact of the attack.
Question 1
Which volatility profile would be best for this machine?
Answer 1
This lab seems to have been written when volatility2 was still the current version of the software. I didn’t find the answer in the right format using volatility3, so I had to download the older version.
WinXPSP2x86Question 2
How many processes were running when the image was acquired?
Answer 2
Hoping back into volatility3 I ran the windows.pslist command and got the following output:
Volatility 3 Framework 2.26.2
Formatting...0.00 PDB scanning finished
| PID | PPID | ImageFileName | Offset(V) | Threads | Handles | SessionId | Wow64 | CreateTime | ExitTime | File output
* | 4 | 0 | System | 0x89c037f8 | 55 | 245 | N/A | False | N/A | N/A | Disabled
* | 368 | 4 | smss.exe | 0x89965020 | 3 | 19 | N/A | False | 2023-02-14 04:54:15.000000 UTC | N/A | Disabled
* | 592 | 368 | csrss.exe | 0x89a98da0 | 11 | 321 | 0 | False | 2023-02-14 04:54:15.000000 UTC | N/A | Disabled
* | 616 | 368 | winlogon.exe | 0x89a88da0 | 18 | 508 | 0 | False | 2023-02-14 04:54:15.000000 UTC | N/A | Disabled
* | 660 | 616 | services.exe | 0x89938998 | 15 | 240 | 0 | False | 2023-02-14 04:54:15.000000 UTC | N/A | Disabled
* | 672 | 616 | lsass.exe | 0x89aa0020 | 21 | 335 | 0 | False | 2023-02-14 04:54:15.000000 UTC | N/A | Disabled
* | 832 | 660 | VBoxService.exe | 0x89aaa3d8 | 9 | 115 | 0 | False | 2023-02-14 04:54:15.000000 UTC | N/A | Disabled
* | 880 | 660 | svchost.exe | 0x89aab590 | 21 | 295 | 0 | False | 2023-02-13 17:54:16.000000 UTC | N/A | Disabled
* | 968 | 660 | svchost.exe | 0x89a9f6f8 | 10 | 244 | 0 | False | 2023-02-13 17:54:17.000000 UTC | N/A | Disabled
* | 1060 | 660 | svchost.exe | 0x89730da0 | 51 | 1072 | 0 | False | 2023-02-13 17:54:17.000000 UTC | N/A | Disabled
* | 1108 | 660 | svchost.exe | 0x897289a8 | 5 | 78 | 0 | False | 2023-02-13 17:54:17.000000 UTC | N/A | Disabled
* | 1156 | 660 | svchost.exe | 0x899adda0 | 13 | 192 | 0 | False | 2023-02-13 17:54:17.000000 UTC | N/A | Disabled
* | 1484 | 1440 | explorer.exe | 0x89733938 | 14 | 489 | 0 | False | 2023-02-13 17:54:18.000000 UTC | N/A | Disabled
* | 1608 | 660 | spoolsv.exe | 0x897075d0 | 10 | 106 | 0 | False | 2023-02-13 17:54:18.000000 UTC | N/A | Disabled
* | 480 | 1060 | wscntfy.exe | 0x89694388 | 1 | 28 | 0 | False | 2023-02-13 17:54:30.000000 UTC | N/A | Disabled
* | 540 | 660 | alg.exe | 0x8969d2a0 | 5 | 102 | 0 | False | 2023-02-13 17:54:30.000000 UTC | N/A | Disabled
* | 376 | 1484 | VBoxTray.exe | 0x89982da0 | 13 | 125 | 0 | False | 2023-02-13 17:54:30.000000 UTC | N/A | Disabled
* | 636 | 1484 | msmsgs.exe | 0x8994a020 | 2 | 157 | 0 | False | 2023-02-13 17:54:30.000000 UTC | N/A | Disabled
* | 1880 | 1484 | taskmgr.exe | 0x89a0b2f0 | 0 | - | 0 | False | 2023-02-13 18:25:15.000000 UTC | 2023-02-13 18:26:21.000000 UTC | Disabled
* | 964 | 1484 | rootkit.exe | 0x899dd740 | 0 | - | 0 | False | 2023-02-13 18:25:26.000000 UTC | 2023-02-13 18:25:26.000000 UTC | Disabled
* | 1960 | 964 | cmd.exe | 0x89a18da0 | 0 | - | 0 | False | 2023-02-13 18:25:26.000000 UTC | 2023-02-13 18:25:26.000000 UTC | Disabled
* | 528 | 1484 | notepad.exe | 0x896c5020 | 0 | - | 0 | False | 2023-02-13 18:26:55.000000 UTC | 2023-02-13 18:27:46.000000 UTC | Disabled
* | 1432 | 1484 | notepad.exe | 0x89a0d180 | 0 | - | 0 | False | 2023-02-13 18:28:25.000000 UTC | 2023-02-13 18:28:40.000000 UTC | Disabled
* | 1444 | 1484 | notepad.exe | 0x899e6da0 | 0 | - | 0 | False | 2023-02-13 18:28:42.000000 UTC | 2023-02-13 18:28:47.000000 UTC | Disabled
* | 276 | 1484 | DumpIt.exe | 0x89a0fda0 | 1 | 25 | 0 | False | 2023-02-13 18:29:08.000000 UTC | N/A | DisabledDiscounting the multiple entries of the same process, the total is 19.
Question 3
What is the process ID of cmd.exe?
Answer 3
The output above provides the answer, 1960.
Question 4
What is the name of the most suspicious process?
Answer 4
Very rarely have I seen a piece of malware be called something this suspicious:
* | 964 | 1484 | rootkit.exeQuestion 5
Which process shows the highest likelihood of code injection?
Answer 5
Using the window.malfind plugin I was able to narrow down my search for anything suspicious. I got the following output that stood out:
* | 880 | svchost.exe | 0x980000 | 0x988fff | VadS | PAGE_EXECUTE_READWRITE | 9 | 1 | Disabled | MZ header | |
| | | | | | | | | | | 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 MZ.............. |
| | | | | | | | | | | b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 ........@....... |
| | | | | | | | | | | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ |
| | | | | | | | | | | 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 ................ |I had to look up what an MZ header was. But it turns out that its to do with Windows Portable Executable, which is an indicator of code injection. Meaning the attacker is trying to use a legit process to hide something.
Question 6
There is an odd file referenced in the recent process. Provide the full path of that file.
Answer 6
Using the following command:
./vol.py -r pretty -f dump/file.raw windows.handles --pid 880I was able to find a suspicious file that could be used for persistence.
Question 7
What is the name of the injected DLL file loaded from the recent process?
Answer 7
I needed to use a new command that I had not used before. ldrmodules, to load the .dll files that had been loaded by a process.
┌──(zero㉿kali)-[~/Documents/volatility3]
└─$ ./vol.py -r pretty -f dump/file.raw windows.ldrmodules.LdrModules --pid 880The output gave me a clear answer. The only .dll file that wasn’t loaded or in memory at the time of the dump. msxml3r.dll.
* | 880 | svchost.exe | 0x670000 | True | True | True | \WINDOWS\system32\xpsp2res.dll
* | 880 | svchost.exe | 0x980000 | False | False | False | N/A
* | 880 | svchost.exe | 0x9a0000 | False | False | False | \WINDOWS\system32\msxml3r.dll
* | 880 | svchost.exe | 0x5ad70000 | True | True | True | \WINDOWS\system32\uxtheme.dllQuestion 8
What is the base address of the injected DLL?
Answer 8
From the above output, the base addresses are in the 3rd column. The suspicious dll file takes up 2 different addresses, 0x980000 and 0x9a0000. Starting with the former.
Last updated