BRabbit Lab
CyberDefenders Threat Intel Lab
Press enter or click to view image in full size
Scenario
You are an investigator assigned to assist Drumbo, a company that recently fell victim to a ransomware attack. The attack began when an employee received an email that appeared to be from the boss. It featured the company’s logo and a familiar email address. Believing the email was legitimate, the employee opened the attachment, which compromised the system and deployed ransomware, encrypting sensitive files. Your task is to investigate and analyze the artifacts to uncover information about the attacker.
Question 1
The phishing email used to deliver the malicious attachment showed several indicators of a potential social engineering attempt. Recognizing these indicators can help identify similar threats in the future. What is the suspicious email address that sent the attachment?
Answer 1
After downloading the files there is a warning file that explains that the supplied file is still live and should be handled with care. Removing the .eml from the end of the file and opening it sublime text is how I will be finding most data.
Copy and pasting the contents of the sublime text into an email header analyzer gives me a ton of information. Including the email address where the email originated. Showing that the attacker was trying to trick the employee at Drumbo with a impostor email address with a slight spelling variation.
theceojamessmith@Drurnbo.comQuestion 2
The ransomware was identified as part of a known malware family. Determining its family name can provide critical insights into its behavior and remediation strategies. What is the family name of the ransomware identified during the investigation?
Answer 2
Uploading the file to VirusTotal give me the family name, badrabbit.
Press enter or click to view image in full size
Question 3
Upon execution, the ransomware dropped a file onto the compromised system to initiate its payload. Identifying this file is essential for understanding its infection process. What is the name of the first file dropped by the ransomware?
Answer 3
While I don’t have an any.run account, you can see search for reports that have been produced on known malware variants. In each of the reports you can find a variety of information, including the actual runtime analysis. Which lead me to the answer, infpub.dat.
Press enter or click to view image in full size
Question 4
Inside the dropped file, the malware contained hardcoded artifacts, including usernames and passwords that could provide clues about its origins or configuration. What is the only person’s username found within the dropped file?
Answer 4
While I don’t have the file on hand, I can do some research online. Looking for other reports that have detailed the malware and the files it has dropped, I find a report by Google. Detailing a list of usernames that are embedded inside infpub.dat.
Press enter or click to view image in full size
Leading to the answer: Alex.
Question 5
After execution, the ransomware communicated with a C2 server. Recognizing its communication techniques can assist in mitigation. What MITRE ATT&CK sub-technique describes the ransomware’s use of web protocols for sending and receiving data?
Answer 5
Here I was looking at the Command and Control section of the VirusTotal page. Specifically the application layer protocol and its MITRE ID T1071.
From here a quick look on the MITRE site gave me the following:
Press enter or click to view image in full size
Question 6
Persistence mechanisms are a hallmark of sophisticated ransomware. Identifying how persistence was achieved can aid in recovery and prevention of reinfection. What is the MITRE ATT&CK Sub-Technique ID associated with the ransomware’s persistence technique?
Answer 6
There are many answers to this question, however there is one rather common way that malware sets up persistence on a machine. Scheduling tasks.
Press enter or click to view image in full size
If malware is able to do so, it can almost be silently integrated in the system to run at set intervals. Maintaining persistence on the infected machine.
Question 7
As part of its infection chain, the ransomware created specific tasks to ensure its continued operation. Recognizing these tasks is crucial for system restoration. What are the names of the tasks created by the ransomware during execution?
Answer 7
For this I was looking for specific commands that were executed using schtasks. I found 2 commands/processes that were created by the malware that reference schtasks.
schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 3898776970 && exit"
schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 20:35:00After doing some research on how someone would use schtasks, I found that /TN stands for task name. The link above gave me all the information I needed to read the commands. Thus giving me the answer:
rhaegal, drogonQuestion 8
The malicious binary dispci.exe displayed a suspicious message upon execution, urging users to disable their defenses. This tactic aimed to evade detection and enable the ransomware’s full execution. What suspicious message was displayed in the Console upon executing this binary?
Answer 8
Again not having the file here was a bit of a pain, however searching for an any.run instance that had run dispci.exe before revealed the following string in a console window:
disable your anti-virus and anti-malware programsPress enter or click to view image in full size
Question 9
To modify the Master Boot Record (MBR) and encrypt the victim’s hard drive, the ransomware utilized a specific driver. Recognizing this driver is essential for understanding the encryption mechanism. What is the name of the driver used to encrypt the hard drive and modify the MBR?
Answer 9
The Google report once again helped me out, mentioning that the DiskCryptor driver was used by the malware.
Press enter or click to view image in full size
Question 10
Attribution is key to understanding the threat landscape. The ransomware was tied to a known attack group through its tactics, techniques, and procedures (TTPs). What is the name of the threat actor responsible for this ransomware campaign?
Answer 10
The MITRE ATT&CK website is very helping when looking for this type of information. Listing groups that have been known to use different strains of malware, in this instance it was Sandworm.
Press enter or click to view image in full size
Question 11
The ransomware rendered the system unbootable by corrupting critical system components. Identifying the technique used provides insight into its destructive capabilities. What is the MITRE ATT&CK ID for the technique used to corrupt the system firmware and prevent booting?
Answer 11
On the same page as the question above, there is a list of techniques used by the malware. One of which being firmware corruption, T1495.
Last updated