Challenges
Thead Owner : QueenStrike,
Category : General Hacking,
3 Comment,
1128 Read
Viewers:
1 Guest(s)
06-06-2021, 01:22 AM
1st challenge being changed unfortunately the memory image (Banking Troubles) is no longer downloadable. The memory image will now be Cridex, if you already did "Banking Troubles" go ahead and post that or you are welcome to work on the Cridex image. Cridex is a banking malware so we are keeping the same overall theme as the original "Banking Troubles"
Are you interested in hacking? Maybe forensics? Maybe reverse engineering or exploit development? Well I plan on having a few challenges in all these things.
--------------------------------------------------------------------------------------------
This is a Digital Forensics Incident Response Challenge, you don't need anything fancy a VM running ubuntu and Volatility/Foremost and very few other tools will suffice. Personally I will probably do this all on an Ubuntu machine and will move to a Windows machine for malware analysis, you can use online malware analysis platforms if you don't feel like spinning up a FLARE VM. Let's set a data for submissions on or by June 16.
If you are new to memory forensics and incident response don't be scared you are free to ask questions here and I will respond. Let's get out of our comfort zones and do some learning.
Scenario:
You have been contacted by your boss seems that one of the larger clients of the company you work for has been compromised. They are having issues when trying to access their banking institution. Find out what's going on your report should have answers to the questions below.
Memory Image :
https://github.com/volatilityfoundation/...ry-Samples Malware-Cridex (working ~38mb)
Challenges:
1) Identify the OS of the memory dump
2) List all processes
3) List open sockets
4) URLs
5) Suspicious URLs
6) Extract the malware (extra)
7) Analyze the malware/Exploit (extra)
8) Suspicious files
9) Is there any registry enteries which may enable persistence? Other IOC's?
Important Links/Resources
https://github.com/volatilityfoundation/volatility/wiki
Edit: Once again I apologize that the original HoneyNet image is not downloadable. Cridex image is and I got a copy, probably helps if I get the images before posting but my weekend is when I do the challenges.
Are you interested in hacking? Maybe forensics? Maybe reverse engineering or exploit development? Well I plan on having a few challenges in all these things.
--------------------------------------------------------------------------------------------
This is a Digital Forensics Incident Response Challenge, you don't need anything fancy a VM running ubuntu and Volatility/Foremost and very few other tools will suffice. Personally I will probably do this all on an Ubuntu machine and will move to a Windows machine for malware analysis, you can use online malware analysis platforms if you don't feel like spinning up a FLARE VM. Let's set a data for submissions on or by June 16.
If you are new to memory forensics and incident response don't be scared you are free to ask questions here and I will respond. Let's get out of our comfort zones and do some learning.
Scenario:
You have been contacted by your boss seems that one of the larger clients of the company you work for has been compromised. They are having issues when trying to access their banking institution. Find out what's going on your report should have answers to the questions below.
Memory Image :
https://github.com/volatilityfoundation/...ry-Samples Malware-Cridex (working ~38mb)
Challenges:
1) Identify the OS of the memory dump
2) List all processes
3) List open sockets
4) URLs
5) Suspicious URLs
6) Extract the malware (extra)
7) Analyze the malware/Exploit (extra)
8) Suspicious files
9) Is there any registry enteries which may enable persistence? Other IOC's?
Important Links/Resources
https://github.com/volatilityfoundation/volatility/wiki
Edit: Once again I apologize that the original HoneyNet image is not downloadable. Cridex image is and I got a copy, probably helps if I get the images before posting but my weekend is when I do the challenges.
06-11-2021, 01:28 AM
Executive Summary:
COMPUTERNAME: ACCOUNTING12 was compromised using Cridex banking software under user “Robert” (APPDATA C:\Documents and Settings\Robert\Application Data). As part of the investigation malware was extracted and analysed to build IOC's (Indicators of Compromise) and are listed at the end of the report. It is strongly recommended that all systems are patched and adding rules to the firewall to block traffic from the C2 servers indicated below in the IOC's. Furthermore integrating Microsoft's SysInternals “SysMon” or (BlackIce) with EDR logging can further provide clarity in the future if this is a one off incident or part of a larger targeted attack in addition to robust network communications logging.
1) Identify the OS of the memory dump
volatility -f cridex.vmem imageinfo
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
2) List all processes
volatility -f cridex.vmem pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c89c8 System 4 0 53 240 ------ 0
0x822f1020 smss.exe 368 4 3 19 ------ 0 2012-07-22 02:42:31 UTC+0000
0x822a0598 csrss.exe 584 368 9 326 0 0 2012-07-22 02:42:32 UTC+0000
0x82298700 winlogon.exe 608 368 23 519 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2ab28 services.exe 652 608 16 243 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2a3b8 lsass.exe 664 608 24 330 0 0 2012-07-22 02:42:32 UTC+0000
0x82311360 svchost.exe 824 652 20 194 0 0 2012-07-22 02:42:33 UTC+0000
0x81e29ab8 svchost.exe 908 652 9 226 0 0 2012-07-22 02:42:33 UTC+0000
0x823001d0 svchost.exe 1004 652 64 1118 0 0 2012-07-22 02:42:33 UTC+0000
0x821dfda0 svchost.exe 1056 652 5 60 0 0 2012-07-22 02:42:33 UTC+0000
0x82295650 svchost.exe 1220 652 15 197 0 0 2012-07-22 02:42:35 UTC+0000
0x821dea70 explorer.exe 1484 1464 17 415 0 0 2012-07-22 02:42:36 UTC+0000
0x81eb17b8 spoolsv.exe 1512 652 14 113 0 0 2012-07-22 02:42:36 UTC+0000
0x81e7bda0 reader_sl.exe 1640 1484 5 39 0 0 2012-07-22 02:42:36 UTC+0000
0x820e8da0 alg.exe 788 652 7 104 0 0 2012-07-22 02:43:01 UTC+0000
0x821fcda0 wuauclt.exe 1136 1004 8 173 0 0 2012-07-22 02:43:46 UTC+0000
0x8205bda0 wuauclt.exe 1588 1004 5 132 0 0 2012-07-22 02:44:01 UTC+0000
Hidden Processes:
volatility -f cridex.vmem psxview
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x02498700 winlogon.exe 608 True True True True True True True
0x02511360 svchost.exe 824 True True True True True True True
0x022e8da0 alg.exe 788 True True True True True True True
0x020b17b8 spoolsv.exe 1512 True True True True True True True
0x0202ab28 services.exe 652 True True True True True True True
0x02495650 svchost.exe 1220 True True True True True True True
0x0207bda0 reader_sl.exe 1640 True True True True True True True
0x025001d0 svchost.exe 1004 True True True True True True True
0x02029ab8 svchost.exe 908 True True True True True True True
0x023fcda0 wuauclt.exe 1136 True True True True True True True
0x0225bda0 wuauclt.exe 1588 True True True True True True True
0x0202a3b8 lsass.exe 664 True True True True True True True
0x023dea70 explorer.exe 1484 True True True True True True True
0x023dfda0 svchost.exe 1056 True True True True True True True
0x024f1020 smss.exe 368 True True True True False False False
0x025c89c8 System 4 True True True True False False False
0x024a0598 csrss.exe 584 True True True True False True True
3) List open sockets
volatility -f cridex.vmem sockets
Volatility Foundation Volatility Framework 2.6
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x81ddb780 664 500 17 UDP 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x82240d08 1484 1038 6 TCP 0.0.0.0 2012-07-22 02:44:45 UTC+0000
0x81dd7618 1220 1900 17 UDP 172.16.112.128 2012-07-22 02:43:01 UTC+0000
0x82125610 788 1028 6 TCP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x8219cc08 4 445 6 TCP 0.0.0.0 2012-07-22 02:42:31 UTC+0000
0x81ec23b0 908 135 6 TCP 0.0.0.0 2012-07-22 02:42:33 UTC+0000
0x82276878 4 139 6 TCP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x82277460 4 137 17 UDP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x81e76620 1004 123 17 UDP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x82172808 664 0 255 Reserved 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x81e3f460 4 138 17 UDP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x821f0630 1004 123 17 UDP 172.16.112.128 2012-07-22 02:43:01 UTC+0000
0x822cd2b0 1220 1900 17 UDP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x82172c50 664 4500 17 UDP 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x821f0d00 4 445 17 UDP 0.0.0.0 2012-07-22 02:42:31 UTC+0000
Being it's XP we use connections command :
volatility -f cridex.vmem connections
Volatility Foundation Volatility Framework 2.6
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x81e87620 172.16.112.128:1038 41.168.5.140:8080 1484
addy/port come back here when checking strings
volatility -f cridex.vmem connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x02087620 172.16.112.128:1038 41.168.5.140:8080 1484
0x023a8008 172.16.112.128:1037 125.19.103.198:8080 1484
Opened by process 1640
4) URLs
volatility -f cridex.vmem iehistory
Volatility Foundation Volatility Framework 2.6
Nothing? Okay we will come back to this.
5) Suspicious URLs
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
125.19.103.198
Seems to target banking websites
*treasurypathways.com*
*CorporateAccounts*
*weblink.websterbank.com*
*secure7.onlineaccess1.com*
*trz.tranzact.org*
*onlineaccess1.com*
*secureport.texascapitalbank.com*
*/Authentication/zbf/k/*
*ebc_ebc1961*
*tdbank.com*
*online.ovcb.com*
*ebanking-services.com*
*schwab.com*
*billmelater.com*
*chase.com*
*bankofamerica.com*
*pnc.com*
*suntrust.com*
*wellsfargo.com*
*ibanking-services.com*
*bankonline.umpquabank.com*
*servlet/teller*
*nsbank.com*
*securentry.calbanktrust.com*
*securentry*
*/Common/SignOn/Start.asp*
*telepc.net*
*enterprise2.openbank.com*
*BusinessAppsHome*
*global1.onlinebank.com*
*webexpress*
Returning upon malware dump
6) Extract the malware (extra)
volatility -f cridex.vmem procdump -p 1640 --dump-dir .
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
volatility -f cridex.vmem memdump -p 1640 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing reader_sl.exe [ 1640] to 1640.dmp
0x81e7bda0 0x00400000 reader_sl.exe OK: executable.1640.exe
sha256sum *
a18fa7d736daad7e5453a3ee6f96dd3d73677d46854fc59f467f10c6ae799df8 1640.dmp
48db195007e5ae9fc1246506564af154927e9f3fbfca0b4054552804027abbf2 executable.1484.exe
5b136147911b041f0126ce82dfd24c4e2c79553b65d3240ecea2dcab4452dcb5 executable.1640.exe
Look up on VT
Process 1640 https://www.virustotal.com/gui/file/5b13.../detection
Process 1484 https://www.virustotal.com/gui/file/48db.../detection
YaraScan:
yara ../../rules/malware_index.yar 1640.dmp
../../rules/./malware/APT_DPRK_ROKRAT.yar(43): warning: $b2 is slowing down scanning
../../rules/./malware/MalConfScan.yar(63): warning: $b1 is slowing down scanning (critical!)
../../rules/./malware/MalConfScan.yar(245): warning: $init_function is slowing down scanning
../../rules/./malware/RAT_Ratdecoders.yar(153): warning: $conf is slowing down scanning (critical!)
Insta11Strings 1640.dmp
Insta11 1640.dmp
strings 1640.dmp | grep -i 8080
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
Host: 41.168.5.140:8080
{905667aa-acd6-11d2-8080-00805f6596d2}
{905667aa-acd6-11d2-8080-00805f6596d2}-
{905667aa-acd6-11d2-8080-00805f6596d2}
{905667aa-acd6-11d2-8080-00805f6596d2}
280801235959Z0
280801235959Z0
280801235959Z0
280801235959Z0_1
280801235959Z0
280801235959Z0_1
280801235959Z0
{905667aa-acd6-11d2-8080-00805f6596d2}F
{25537BA6-77A8-11D2-9B6C-0000F8080861}
280801235959Z0_1
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
CD_6B4E7939751D6D1B396F80803BAF90D4.298.560241.637
C_6B4E7939751D6D1B396F80803BAF90D4
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
7) Analyze the malware/Exploit (extra)
foremost 1640.dmp
Processing: 1640.dmp
|*|
ls
audit.txt bmp dll exe gif htm
Note: Not all files are malware we may have other files but this is all within that memory offest of the process
8) Suspicious files
Looking at our previous process scan and connection scans
PID 1484 - only PID connected to internet and PID is reader_sl.exe
0x81e7bda0 reader_sl.exe 1640 1484 5 39 0 0 2012-07-22 02:42:36 UTC+0000
Checking if reader_sl started other threads
volatility -f cridex.vmem threads | grep -i 1640
Volatility Foundation Volatility Framework 2.6
ETHREAD: 0x81ec1640 Pid: 664 Tid: 764
ETHREAD: 0x81ec4da8 Pid: 1640 Tid: 1600
ETHREAD: 0x822924c8 Pid: 1640 Tid: 1648
ETHREAD: 0x81e7b988 Pid: 1640 Tid: 1644
ETHREAD: 0x822ffd80 Pid: 1640 Tid: 1448
ETHREAD: 0x81e2e798 Pid: 1640 Tid: 1332
cmdline:
volatility -f cridex.vmem cmdline
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 368
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 584
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid: 608
Command line : winlogon.exe
************************************************************************
services.exe pid: 652
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid: 664
Command line : C:\WINDOWS\system32\lsass.exe
************************************************************************
svchost.exe pid: 824
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid: 908
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid: 1004
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid: 1056
Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid: 1220
Command line : C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
explorer.exe pid: 1484
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
spoolsv.exe pid: 1512
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
reader_sl.exe pid: 1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
************************************************************************
alg.exe pid: 788
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
wuauclt.exe pid: 1136
Command line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[3ec]SUSDSb81eb56fa3105543beb3109274ef8ec1
************************************************************************
wuauclt.exe pid: 1588
Command line : "C:\WINDOWS\system32\wuauclt.exe"
Check for injection
9) Is there any registry enteries which may enable persistence? Other IOC's?
C2:188.40.0.138 // 125.19.103.198
Port:8080
Sha256: FileName:
a18fa7d736daad7e5453a3ee6f96dd3d73677d46854fc59f467f10c6ae799df8 1640.dmp
48db195007e5ae9fc1246506564af154927e9f3fbfca0b4054552804027abbf2 executable.1484.exe
5b136147911b041f0126ce82dfd24c4e2c79553b65d3240ecea2dcab4452dcb5 executable.1640.exe
https://www.hybrid-analysis.com/sample/4...mentId=100
https://www.virustotal.com/gui/file/48db.../detection
https://www.virustotal.com/gui/file/5b13.../detection
https://www.hybrid-analysis.com/sample/5...mentId=120
COMPUTERNAME: ACCOUNTING12 was compromised using Cridex banking software under user “Robert” (APPDATA C:\Documents and Settings\Robert\Application Data). As part of the investigation malware was extracted and analysed to build IOC's (Indicators of Compromise) and are listed at the end of the report. It is strongly recommended that all systems are patched and adding rules to the firewall to block traffic from the C2 servers indicated below in the IOC's. Furthermore integrating Microsoft's SysInternals “SysMon” or (BlackIce) with EDR logging can further provide clarity in the future if this is a one off incident or part of a larger targeted attack in addition to robust network communications logging.
1) Identify the OS of the memory dump
volatility -f cridex.vmem imageinfo
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
2) List all processes
volatility -f cridex.vmem pslist
Volatility Foundation Volatility Framework 2.6
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------------ ------------------------------
0x823c89c8 System 4 0 53 240 ------ 0
0x822f1020 smss.exe 368 4 3 19 ------ 0 2012-07-22 02:42:31 UTC+0000
0x822a0598 csrss.exe 584 368 9 326 0 0 2012-07-22 02:42:32 UTC+0000
0x82298700 winlogon.exe 608 368 23 519 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2ab28 services.exe 652 608 16 243 0 0 2012-07-22 02:42:32 UTC+0000
0x81e2a3b8 lsass.exe 664 608 24 330 0 0 2012-07-22 02:42:32 UTC+0000
0x82311360 svchost.exe 824 652 20 194 0 0 2012-07-22 02:42:33 UTC+0000
0x81e29ab8 svchost.exe 908 652 9 226 0 0 2012-07-22 02:42:33 UTC+0000
0x823001d0 svchost.exe 1004 652 64 1118 0 0 2012-07-22 02:42:33 UTC+0000
0x821dfda0 svchost.exe 1056 652 5 60 0 0 2012-07-22 02:42:33 UTC+0000
0x82295650 svchost.exe 1220 652 15 197 0 0 2012-07-22 02:42:35 UTC+0000
0x821dea70 explorer.exe 1484 1464 17 415 0 0 2012-07-22 02:42:36 UTC+0000
0x81eb17b8 spoolsv.exe 1512 652 14 113 0 0 2012-07-22 02:42:36 UTC+0000
0x81e7bda0 reader_sl.exe 1640 1484 5 39 0 0 2012-07-22 02:42:36 UTC+0000
0x820e8da0 alg.exe 788 652 7 104 0 0 2012-07-22 02:43:01 UTC+0000
0x821fcda0 wuauclt.exe 1136 1004 8 173 0 0 2012-07-22 02:43:46 UTC+0000
0x8205bda0 wuauclt.exe 1588 1004 5 132 0 0 2012-07-22 02:44:01 UTC+0000
Hidden Processes:
volatility -f cridex.vmem psxview
Volatility Foundation Volatility Framework 2.6
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x02498700 winlogon.exe 608 True True True True True True True
0x02511360 svchost.exe 824 True True True True True True True
0x022e8da0 alg.exe 788 True True True True True True True
0x020b17b8 spoolsv.exe 1512 True True True True True True True
0x0202ab28 services.exe 652 True True True True True True True
0x02495650 svchost.exe 1220 True True True True True True True
0x0207bda0 reader_sl.exe 1640 True True True True True True True
0x025001d0 svchost.exe 1004 True True True True True True True
0x02029ab8 svchost.exe 908 True True True True True True True
0x023fcda0 wuauclt.exe 1136 True True True True True True True
0x0225bda0 wuauclt.exe 1588 True True True True True True True
0x0202a3b8 lsass.exe 664 True True True True True True True
0x023dea70 explorer.exe 1484 True True True True True True True
0x023dfda0 svchost.exe 1056 True True True True True True True
0x024f1020 smss.exe 368 True True True True False False False
0x025c89c8 System 4 True True True True False False False
0x024a0598 csrss.exe 584 True True True True False True True
3) List open sockets
volatility -f cridex.vmem sockets
Volatility Foundation Volatility Framework 2.6
Offset(V) PID Port Proto Protocol Address Create Time
---------- -------- ------ ------ --------------- --------------- -----------
0x81ddb780 664 500 17 UDP 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x82240d08 1484 1038 6 TCP 0.0.0.0 2012-07-22 02:44:45 UTC+0000
0x81dd7618 1220 1900 17 UDP 172.16.112.128 2012-07-22 02:43:01 UTC+0000
0x82125610 788 1028 6 TCP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x8219cc08 4 445 6 TCP 0.0.0.0 2012-07-22 02:42:31 UTC+0000
0x81ec23b0 908 135 6 TCP 0.0.0.0 2012-07-22 02:42:33 UTC+0000
0x82276878 4 139 6 TCP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x82277460 4 137 17 UDP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x81e76620 1004 123 17 UDP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x82172808 664 0 255 Reserved 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x81e3f460 4 138 17 UDP 172.16.112.128 2012-07-22 02:42:38 UTC+0000
0x821f0630 1004 123 17 UDP 172.16.112.128 2012-07-22 02:43:01 UTC+0000
0x822cd2b0 1220 1900 17 UDP 127.0.0.1 2012-07-22 02:43:01 UTC+0000
0x82172c50 664 4500 17 UDP 0.0.0.0 2012-07-22 02:42:53 UTC+0000
0x821f0d00 4 445 17 UDP 0.0.0.0 2012-07-22 02:42:31 UTC+0000
Being it's XP we use connections command :
volatility -f cridex.vmem connections
Volatility Foundation Volatility Framework 2.6
Offset(V) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x81e87620 172.16.112.128:1038 41.168.5.140:8080 1484
addy/port come back here when checking strings
volatility -f cridex.vmem connscan
Volatility Foundation Volatility Framework 2.6
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x02087620 172.16.112.128:1038 41.168.5.140:8080 1484
0x023a8008 172.16.112.128:1037 125.19.103.198:8080 1484
Opened by process 1640
4) URLs
volatility -f cridex.vmem iehistory
Volatility Foundation Volatility Framework 2.6
Nothing? Okay we will come back to this.
5) Suspicious URLs
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
125.19.103.198
Seems to target banking websites
*treasurypathways.com*
*CorporateAccounts*
*weblink.websterbank.com*
*secure7.onlineaccess1.com*
*trz.tranzact.org*
*onlineaccess1.com*
*secureport.texascapitalbank.com*
*/Authentication/zbf/k/*
*ebc_ebc1961*
*tdbank.com*
*online.ovcb.com*
*ebanking-services.com*
*schwab.com*
*billmelater.com*
*chase.com*
*bankofamerica.com*
*pnc.com*
*suntrust.com*
*wellsfargo.com*
*ibanking-services.com*
*bankonline.umpquabank.com*
*servlet/teller*
*nsbank.com*
*securentry.calbanktrust.com*
*securentry*
*/Common/SignOn/Start.asp*
*telepc.net*
*enterprise2.openbank.com*
*BusinessAppsHome*
*global1.onlinebank.com*
*webexpress*
Returning upon malware dump
6) Extract the malware (extra)
volatility -f cridex.vmem procdump -p 1640 --dump-dir .
Volatility Foundation Volatility Framework 2.6
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
volatility -f cridex.vmem memdump -p 1640 --dump-dir .
Volatility Foundation Volatility Framework 2.6
************************************************************************
Writing reader_sl.exe [ 1640] to 1640.dmp
0x81e7bda0 0x00400000 reader_sl.exe OK: executable.1640.exe
sha256sum *
a18fa7d736daad7e5453a3ee6f96dd3d73677d46854fc59f467f10c6ae799df8 1640.dmp
48db195007e5ae9fc1246506564af154927e9f3fbfca0b4054552804027abbf2 executable.1484.exe
5b136147911b041f0126ce82dfd24c4e2c79553b65d3240ecea2dcab4452dcb5 executable.1640.exe
Look up on VT
Process 1640 https://www.virustotal.com/gui/file/5b13.../detection
Process 1484 https://www.virustotal.com/gui/file/48db.../detection
YaraScan:
yara ../../rules/malware_index.yar 1640.dmp
../../rules/./malware/APT_DPRK_ROKRAT.yar(43): warning: $b2 is slowing down scanning
../../rules/./malware/MalConfScan.yar(63): warning: $b1 is slowing down scanning (critical!)
../../rules/./malware/MalConfScan.yar(245): warning: $init_function is slowing down scanning
../../rules/./malware/RAT_Ratdecoders.yar(153): warning: $conf is slowing down scanning (critical!)
Insta11Strings 1640.dmp
Insta11 1640.dmp
strings 1640.dmp | grep -i 8080
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
Host: 41.168.5.140:8080
{905667aa-acd6-11d2-8080-00805f6596d2}
{905667aa-acd6-11d2-8080-00805f6596d2}-
{905667aa-acd6-11d2-8080-00805f6596d2}
{905667aa-acd6-11d2-8080-00805f6596d2}
280801235959Z0
280801235959Z0
280801235959Z0
280801235959Z0_1
280801235959Z0
280801235959Z0_1
280801235959Z0
{905667aa-acd6-11d2-8080-00805f6596d2}F
{25537BA6-77A8-11D2-9B6C-0000F8080861}
280801235959Z0_1
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
CD_6B4E7939751D6D1B396F80803BAF90D4.298.560241.637
C_6B4E7939751D6D1B396F80803BAF90D4
hxxp://188.40.0.138:8080/zb/v_01_a/in/cp.php
7) Analyze the malware/Exploit (extra)
foremost 1640.dmp
Processing: 1640.dmp
|*|
ls
audit.txt bmp dll exe gif htm
Note: Not all files are malware we may have other files but this is all within that memory offest of the process
8) Suspicious files
Looking at our previous process scan and connection scans
PID 1484 - only PID connected to internet and PID is reader_sl.exe
0x81e7bda0 reader_sl.exe 1640 1484 5 39 0 0 2012-07-22 02:42:36 UTC+0000
Checking if reader_sl started other threads
volatility -f cridex.vmem threads | grep -i 1640
Volatility Foundation Volatility Framework 2.6
ETHREAD: 0x81ec1640 Pid: 664 Tid: 764
ETHREAD: 0x81ec4da8 Pid: 1640 Tid: 1600
ETHREAD: 0x822924c8 Pid: 1640 Tid: 1648
ETHREAD: 0x81e7b988 Pid: 1640 Tid: 1644
ETHREAD: 0x822ffd80 Pid: 1640 Tid: 1448
ETHREAD: 0x81e2e798 Pid: 1640 Tid: 1332
cmdline:
volatility -f cridex.vmem cmdline
Volatility Foundation Volatility Framework 2.6
************************************************************************
System pid: 4
************************************************************************
smss.exe pid: 368
Command line : \SystemRoot\System32\smss.exe
************************************************************************
csrss.exe pid: 584
Command line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16
************************************************************************
winlogon.exe pid: 608
Command line : winlogon.exe
************************************************************************
services.exe pid: 652
Command line : C:\WINDOWS\system32\services.exe
************************************************************************
lsass.exe pid: 664
Command line : C:\WINDOWS\system32\lsass.exe
************************************************************************
svchost.exe pid: 824
Command line : C:\WINDOWS\system32\svchost -k DcomLaunch
************************************************************************
svchost.exe pid: 908
Command line : C:\WINDOWS\system32\svchost -k rpcss
************************************************************************
svchost.exe pid: 1004
Command line : C:\WINDOWS\System32\svchost.exe -k netsvcs
************************************************************************
svchost.exe pid: 1056
Command line : C:\WINDOWS\system32\svchost.exe -k NetworkService
************************************************************************
svchost.exe pid: 1220
Command line : C:\WINDOWS\system32\svchost.exe -k LocalService
************************************************************************
explorer.exe pid: 1484
Command line : C:\WINDOWS\Explorer.EXE
************************************************************************
spoolsv.exe pid: 1512
Command line : C:\WINDOWS\system32\spoolsv.exe
************************************************************************
reader_sl.exe pid: 1640
Command line : "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
************************************************************************
alg.exe pid: 788
Command line : C:\WINDOWS\System32\alg.exe
************************************************************************
wuauclt.exe pid: 1136
Command line : "C:\WINDOWS\system32\wuauclt.exe" /RunStoreAsComServer Local\[3ec]SUSDSb81eb56fa3105543beb3109274ef8ec1
************************************************************************
wuauclt.exe pid: 1588
Command line : "C:\WINDOWS\system32\wuauclt.exe"
Check for injection
9) Is there any registry enteries which may enable persistence? Other IOC's?
C2:188.40.0.138 // 125.19.103.198
Port:8080
Sha256: FileName:
a18fa7d736daad7e5453a3ee6f96dd3d73677d46854fc59f467f10c6ae799df8 1640.dmp
48db195007e5ae9fc1246506564af154927e9f3fbfca0b4054552804027abbf2 executable.1484.exe
5b136147911b041f0126ce82dfd24c4e2c79553b65d3240ecea2dcab4452dcb5 executable.1640.exe
https://www.hybrid-analysis.com/sample/4...mentId=100
https://www.virustotal.com/gui/file/48db.../detection
https://www.virustotal.com/gui/file/5b13.../detection
https://www.hybrid-analysis.com/sample/5...mentId=120
06-29-2021, 05:40 AM
Challenge 2
Cracking a password protected zip file
Scenario: A friend needs help and sent you a password protected zip file which has a text file which they need the phrase in flag.txt . Crack the password and post the flag.
sha256sum crack_passwd.zip
c61fbceeb0971f579de3e6bc45838be237e128b5b65d740e2d1d74751eaa1545 crack_passwd.zip
flag.txt
https://www.virustotal.com/gui/file/bee1.../detection
crack_passwd.zip
https://www.virustotal.com/gui/file-anal.../detection
https://gofile.io/d/T85ffv
Edit:
Solution:
fcrackzip -b -D -p Top207-probable-v2.txt crack_passwd.zip
possible pw found: password1 ()
unzip crack_passwd.zip
Archive: crack_passwd.zip
[crack_passwd.zip] flag.txt password:
extracting: flag.txt
cat flag.txt
CaTzRuUuLe
Cracking a password protected zip file
Scenario: A friend needs help and sent you a password protected zip file which has a text file which they need the phrase in flag.txt . Crack the password and post the flag.
sha256sum crack_passwd.zip
c61fbceeb0971f579de3e6bc45838be237e128b5b65d740e2d1d74751eaa1545 crack_passwd.zip
flag.txt
https://www.virustotal.com/gui/file/bee1.../detection
crack_passwd.zip
https://www.virustotal.com/gui/file-anal.../detection
https://gofile.io/d/T85ffv
Edit:
Solution:
fcrackzip -b -D -p Top207-probable-v2.txt crack_passwd.zip
possible pw found: password1 ()
unzip crack_passwd.zip
Archive: crack_passwd.zip
[crack_passwd.zip] flag.txt password:
extracting: flag.txt
cat flag.txt
CaTzRuUuLe
08-02-2021, 07:06 PM
Challenge 3 Binary Patching
Scenario: You have a program which you need to find the license key to use it, luckily the key is somewhere in the binary.
Binary patching
Find the license key compile on your own machine :
Source:
Tools:
nano (text editor)
gcc
Ghidra/Cutter or any debugger
OS-Linux(Ubuntu)
Compile: gcc -o license license.c
(compiles fine to warnings)
Scenario: You have a program which you need to find the license key to use it, luckily the key is somewhere in the binary.
Binary patching
Find the license key compile on your own machine :
Source:
Code:
#include <string.h>
#include <stdio.h>
int main(int argc, char *argv[]) {
if(argc==2) {
printf("Checking License: %s\n", argv[1]);
if(strcmp(argv[1], "AAAA-Z10N-42-OK")==0) {
printf("Access Granted!\n");
} else {
printf("WRONG!\n");
}
} else {
printf("Usage: <key>\n");
}
return 0;
}Tools:
nano (text editor)
gcc
Ghidra/Cutter or any debugger
OS-Linux(Ubuntu)
Compile: gcc -o license license.c
(compiles fine to warnings)