Company X has contacted you to perform forensics work on a recent incident that occurred. One of their employees had received an e-mail from a co-worker that pointed to a PDF file. Upon opening, the employee did not notice anything; however, they recently had unusual activity in their bank account.
The initial theory is that a user received an e-mail, containing an URL leading to a forged PDF document. Opening that document in Acrobat Reader triggers a malicious Javascript that initiates a sequence of actions to take over the victim's system.
Company X was able to obtain a memory image of the employee's virtual machine upon suspected infection and asked you to analyze the virtual memory and provide answers to the questions.
Information
Category Name: BankingTroubles
Files : c27-banking-troubles.zip 127MB
– Bob.vmem 512 MB
My Recommendations
Download it from CyberDefenders and verify the file with sha1sum:
sha1sum /path/to/c27-banking-troubles.zip
SHA1: fb90a34ca773f2dc97da144df1028ac4689a8e87
This is my personal preference, I like being organized and deleting a folder when I’m done with it .
mkdir Documents/CyberDefenders/BankingTroubles && cd Documents/CyberDefenders/BankingTroubles
Walkthrough
1. What was the local IP address of the victim's machine?
We need to find the correct profile before using volatility:
vol.py -f Bob.vmem imageinfo
Now, we can run in with the connections plugin, to see which addresses were connected:
vol.py -f Bob.vmem --profile=WinXPSP2x86 connections
Local Address is the IP address of the victim. 127.0.0.1 is the local host, not the actual local IP address of the machine.
Answer: 192.168.0.176
2. What was the OS environment variable's value?
We can use the envars plugin, which will list the environment variables of all processes, and grep for OS:
vol.py -f Bob.vmem --profile=WinXPSP2x86 envars | grep OS
Answer: Windows_NT
3. What was the Administrator's password?
To crack the plaintext password, we need to dump the hashes into a file and ask john to do its magic:
vol.py -f Bob.vmem --profile=WinXPSP2x86 hashdump > hashes.txt
john -format=LM -wordlist=/usr/share/wordlists/rockyou.txt hashes.txt
john --show hashes.txt
Answer: PASSWORD
4. Which process was most likely responsible for the initial exploit?
The challenge revolves around a malicious PDF File. We can look at the Process Tree:
vol.py -f Bob.vmem --profile=WinXPSP2x86 pstree
Given the running processes, the most likely culprit is AcroRd32.exe, aka Acrobat Reader (PID 1752).
Answer: AcroRd32.exe
5. What is the extension of the malicious file retrieved from the process responsible for the initial exploit?
Using the handles plugin, we can see which files, keys and other processes AcroRd32.exe had a handle for. It’s kind of like a log of all the stuff it was doing:
vol.py -f Bob.vmem --profile=WinXPSP2x86 handles --pid=1752
If you scroll up, you will see that the process had a handle for a .php file (hello exploit!) and a pdf file called ‘RdrMsgENU.pdf’, which we can assume is the evil file:
Answer: pdf
6. Suspicious processes opened network connections to external IPs.
One of them starts with “2”. Provide the full IP.
vol.py -f Bob.vmem --profile=WinXPSP2x86 connections
PID 888 and PID 1752 both opened a connection with 212.150.164.203. PID 888 (firefox.exe) is the Parent PID of AcroRd32.exe.
Answer: 212.150.164.203
7. A suspicious URL was present in process svchost.exe memory.
Provide the full URL that points to a PHP page hosted over a public IP (no FQDN).
The easy way:
strings Bob.vmem | grep -F ".php" | grep "^http:"
Answer: http[://]193[.]104[.]22[.]71/~produkt/9j856f_4m9y8urb[.]php
8. Extract files from the initial process.
One file has an MD5 hash ending with “528afe08e437765cc”. When was this file first submitted for analysis on VirusTotal?
Using the dumpfile plugin, with a regex for pdf extensions:
mkdir pdfs
vol.py -f Bob.vmem --profile=WinXPSP2x86 dumpfiles -r pdf$ -u -n -D pdfs
md5sum pdfs/*
#returns
#4d0bc7dec1fdad48f0b8cceaffe0790b pdfs/file.1752.0x81c6b578.RdrMsgENU.pdf.vacb
#cd3c38c9c0e910bf1fe722871039cf3d pdfs/file.1752.0x81ddcdf8.RdrMsgENU.pdf.dat
Dumpfiles doesn’t return files matching the hash.
Given that the above didn’t work, we need to dump the original process and then extract pdfs using foremost. Afterwards, we can calculate the md5hashes and grep for the provided ending:
vol.py -f Bob.vmem --profile=WinXPSP2x86 memdump -p 1752 -D .
foremost -t pdf 1752.dmp
find output -type f -exec md5sum "{}" \; | grep '528afe08e437765cc'
Answer: 2010-03-29 19:31:45
9. What was the PID of the process that loaded the file PDF.php?
Using the handles plugin:
vol.py -f Bob.vmem --profile=WinXPSP2x86 handles | grep 'PDF.php' -A 5 -B 5
The only match returned for ‘PDF.php’ is PID 1752, which is AcroRd32.exe.
Answer: 1752
10. The JS includes a function meant to hide the call to function eval().
Provide the name of that function.
In Question 8, we identified the malicious file. Now, we can analyze it with peepdf, extract the javascript and beautify it:
cp output/pdf/00601560.pdf mal.pdf
peepdf mal.pdf
The object that contains JavaScript is Object 1054. We can dump it with pdf-parser.py. With the way my machine is configured, I need to invoke pdf-parser with python2 directly:
python2 /usr/local/bin/pdf-parser.py --raw -o 1054 -f mal.pdf -d malicious.js
js-beautify malicious.js
Looking at the output, there is call to eval from function HNQYxrFW:
Answer: HNQYxrFW
11. The payload includes 3 shellcodes for different versions of Acrobat reader.
Provide the function name that corresponds to Acrobat v9.
If you are on Linux, you can use js-patched, which will execute and de-obfuscate the script. But first, you need to add a curly bracket at the end of the file:
echo '}' >> malicious.js
js-patched malicious.js
#issues ReferenceError: app is not defined
cat eval.001.log
The last lines look at the version of Acrobat reader. This one in particular corresponds to Acrobat v9:
Answer: XiIHG
12. Process winlogon.exe hosted a popular malware ...
that was first submitted for analysis at VirusTotal on 2010-03-29 11:34:01. Provide the MD5 hash of that malware.
Winlogon.exe’s PID is 644. We can dump the process’s malware, and use clamscan on its extracted files:
mkdir winlogon
vol.py -f Bob.vmem --profile=WinXPSP2x86 malfind --pid 644 -D winlogon/
clamscan -r winlogon
Only process.0x81e5b2e8.0xa10000.dmp is flagged, as ‘Win.Spyware.Zbot’:
Its md5 hash is 066f61950bdd31db4ba95959b86b5269. We can look it up in Virus Total to confirm the date:
Answer: 066f61950bdd31db4ba95959b86b5269
13. What is the name of the malicious executable referenced in registry hive...
‘\WINDOWS\system32\config\software’, and is variant of ZeuS trojan?
According to this report, the Trojan modifies the Winlogon key. First, we need to find the offset of the Software Key:
vol.py -f Bob.vmem --profile=WinXPSP2x86 hivelist
vol.py -f Bob.vmem --profile=WinXPSP2x86 printkey -o 0xe1526748 -K 'Microsoft\Windows NT\CurrentVersion\Winlogon'
As we can see, ‘sdra64.exe’ was added to the UserInit subkey to maintain persistence.
Answer: sdra64.exe
14. The shellcode for Acrobat v7 downloads a file named e.exe from a specific URL. Provide the URL.
Looking at the filescan output, file ‘e.exe’ was downloaded on the Machine:
vol.py -f Bob.vmem --profile=WinXPSP2x86 filescan > filescan.txt
cat filescan.txt | grep -F 'e.exe'
It was downloaded in AcroRD32.exe’s TEMP path variable (as shown with the envars plugin).
In Question 8, we used foremost to extract files from PID 1752’s process memory. Since ‘e.exe’ is an executable, and it was downloaded, we can look for the string ‘application/x-msdownload‘ in those files:
strings output/*/* | grep 'application/x-msdownload' -B 5 -A 5
The only matches refer to a single link:
To confirm if ‘e.exe’ was downloaded from this link we can check the MFT table. Then, we can use the Creation Date and Time as a filter. We will be able to see what other files where created/executed etc.. at the same time as its creation:
vol.py -f Bob.vmem --profile=WinXPSP2x86 mftparser > MFT.txt
cat MFT.txt | grep -F 'e.exe'
#returns 2010-02-27 20:12:32 UTC+0000 for all DateTime values
cat MFT.txt | grep '2010-02-27 20:12:32'
All these files have the exact same timestamps as ‘e.exe’. Given name of the file in the Cookies directory, and that file[1].exe was matched above, we can conclude that they all share the same download URL.
Answer: http[://]search-network-plus[.]com/load[.]php?a=a&st=Internet Explorer 6.0&e=2
15. The shellcode for Acrobat v8 exploits a specific vulnerability. Provide the CVE number.
Using jsunpackn:
python2 jsunpackn.py ~/Documents/CyberDefenders/BankingTroubles/malicious.js
The CVE detected for the stream is CVE-2008-2992.
Answer: CVE-2008-2992
TLDR
– This is a challenging Windows Memory Forensics challenge focusing on a PDF maldoc.
– For the Memory part, volatility2 is the only tool needed.
– For the PDF Doc, I recommend using pdf-parser.py but with python2 for full functionality.
